Loading ...

Play interactive tourEdit tour

Analysis Report LKVQYCZZkBgadMX.exe

Overview

General Information

Sample Name:LKVQYCZZkBgadMX.exe
Analysis ID:254522
MD5:bef5cac24c190344f2bd75ae5e12b4f5
SHA1:99cfe77679e1e0abc487b61ac3093e1fed30a277
SHA256:df4ac313a1013e4111037cb09097cc4a53251d144568c8bd1fd4587cb8f7c4b4

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • LKVQYCZZkBgadMX.exe (PID: 6888 cmdline: 'C:\Users\user\Desktop\LKVQYCZZkBgadMX.exe' MD5: BEF5CAC24C190344F2BD75AE5E12B4F5)
    • schtasks.exe (PID: 7096 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpD88A.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6164 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • RegSvcs.exe (PID: 6232 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)
  • dhcpmon.exe (PID: 6000 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 5980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
LKVQYCZZkBgadMX.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x15529:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\&startupname&.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x15529:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1315271968.0000000004654000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xa8e45:$x1: NanoCore.ClientPluginHost
  • 0xdb665:$x1: NanoCore.ClientPluginHost
  • 0xa8e82:$x2: IClientNetworkHost
  • 0xdb6a2:$x2: IClientNetworkHost
  • 0xac9b5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0xdf1d5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.1315271968.0000000004654000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.1315271968.0000000004654000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xa8bad:$a: NanoCore
    • 0xa8bbd:$a: NanoCore
    • 0xa8df1:$a: NanoCore
    • 0xa8e05:$a: NanoCore
    • 0xa8e45:$a: NanoCore
    • 0xdb3cd:$a: NanoCore
    • 0xdb3dd:$a: NanoCore
    • 0xdb611:$a: NanoCore
    • 0xdb625:$a: NanoCore
    • 0xdb665:$a: NanoCore
    • 0xa8c0c:$b: ClientPlugin
    • 0xa8e0e:$b: ClientPlugin
    • 0xa8e4e:$b: ClientPlugin
    • 0xdb42c:$b: ClientPlugin
    • 0xdb62e:$b: ClientPlugin
    • 0xdb66e:$b: ClientPlugin
    • 0xa8d33:$c: ProjectData
    • 0xdb553:$c: ProjectData
    • 0xa973a:$d: DESCrypto
    • 0xdbf5a:$d: DESCrypto
    • 0xb1106:$e: KeepAlive
    00000005.00000002.1549823607.00000000067C0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1f1db:$x1: NanoCore.ClientPluginHost
    • 0x1f1f5:$x2: IClientNetworkHost
    00000005.00000002.1549823607.00000000067C0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x1f1db:$x2: NanoCore.ClientPluginHost
    • 0x22518:$s4: PipeCreated
    • 0x1f1c8:$s5: IClientLoggingHost
    Click to see the 39 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    5.2.RegSvcs.exe.63b0000.8.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x16e3:$x1: NanoCore.ClientPluginHost
    • 0x171c:$x2: IClientNetworkHost
    5.2.RegSvcs.exe.63b0000.8.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x16e3:$x2: NanoCore.ClientPluginHost
    • 0x1800:$s4: PipeCreated
    • 0x16fd:$s5: IClientLoggingHost
    5.2.RegSvcs.exe.67a0000.15.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x170b:$x1: NanoCore.ClientPluginHost
    • 0x1725:$x2: IClientNetworkHost
    5.2.RegSvcs.exe.67a0000.15.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x170b:$x2: NanoCore.ClientPluginHost
    • 0x34b6:$s4: PipeCreated
    • 0x16f8:$s5: IClientLoggingHost
    5.2.RegSvcs.exe.6420000.13.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1deb:$x1: NanoCore.ClientPluginHost
    • 0x1e24:$x2: IClientNetworkHost
    Click to see the 53 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6232, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
    Sigma detected: Scheduled temp file as task from temp locationShow sources
    Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpD88A.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpD88A.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\LKVQYCZZkBgadMX.exe' , ParentImage: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exe, ParentProcessId: 6888, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpD88A.tmp', ProcessId: 7096

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000000.00000002.1315271968.0000000004654000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.1546525133.00000000043EA000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.1540039198.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.1548612305.0000000005BA0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6232, type: MEMORY
    Source: Yara matchFile source: 5.2.RegSvcs.exe.5ba0000.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.5ba0000.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Temp\&startupname&.exeJoe Sandbox ML: detected
    Machine Learning detection for sampleShow sources
    Source: LKVQYCZZkBgadMX.exeJoe Sandbox ML: detected

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49741 -> 79.134.225.71:1985
    Source: global trafficTCP traffic: 192.168.2.5:49741 -> 79.134.225.71:1985
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.71
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 5_2_056C2F3E WSARecv,5_2_056C2F3E
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000002.1319133042.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
    Source: RegSvcs.exe, 00000005.00000002.1542961150.00000000033E4000.00000004.00000001.sdmpString found in binary or memory: http://google.com
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1275897292.00000000058E7000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licen
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000002.1319133042.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000002.1311729826.00000000019CC000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000002.1311729826.00000000019CC000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com-u
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000002.1319133042.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1275897292.00000000058E7000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1311161804.00000000058E3000.00000004.00000001.sdmp, LKVQYCZZkBgadMX.exe, 00000000.00000003.1281931332.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1279613335.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000002.1319133042.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1279613335.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000002.1319133042.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1281381590.00000000058DB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000002.1319133042.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1280719623.00000000058E3000.00000004.00000001.sdmp, LKVQYCZZkBgadMX.exe, 00000000.00000002.1319133042.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1280719623.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmla-dE=T
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000002.1319133042.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1281400936.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers92
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000002.1319133042.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000002.1319133042.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1284948119.00000000058E5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersH
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1281750733.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersb
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1281931332.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1281931332.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF#;
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1280719623.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFI;
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1280719623.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFr;
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1280719623.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comTTF
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1280719623.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1281931332.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsFl;
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1281931332.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcom_;
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1284948119.00000000058E5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1280719623.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comeded
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1280719623.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessedV;
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1281931332.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comice
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1280167976.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comiono1;v
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1311161804.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1279512722.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comr;
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1281931332.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsiv
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1279711393.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000002.1319133042.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1275897292.00000000058E7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1275490690.00000000058E7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000002.1319133042.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000002.1319133042.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1275897292.00000000058E7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn08v
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1275330708.00000000019CB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnia
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1283022857.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1282914518.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/#;
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000002.1319133042.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1283367786.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/s
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1283022857.00000000058E3000.00000004.00000001.sdmp, LKVQYCZZkBgadMX.exe, 00000000.00000002.1319133042.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1275314582.00000000058E7000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1277299209.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1277299209.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/1;v
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1276429708.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/G;
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1276429708.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/I;
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1277299209.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/P4
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1277299209.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/V;
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1277203297.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/I;
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1277914127.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/_;
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1277524981.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/l;
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1277299209.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/sk-s
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1276429708.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/u
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000002.1319133042.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1277524981.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000002.1319133042.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000002.1319133042.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000002.1319133042.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1279233870.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000002.1319133042.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1279334743.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deK.l
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1281805207.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deMT
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1279334743.00000000058E3000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deoi
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000003.1275897292.00000000058E7000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: RegSvcs.exe, 00000005.00000002.1546525133.00000000043EA000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000000.00000002.1315271968.0000000004654000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.1546525133.00000000043EA000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.1540039198.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.1548612305.0000000005BA0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6232, type: MEMORY
    Source: Yara matchFile source: 5.2.RegSvcs.exe.5ba0000.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.5ba0000.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 00000000.00000002.1315271968.0000000004654000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.1315271968.0000000004654000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.1549823607.00000000067C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.1549666259.0000000006420000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.1549854984.00000000067F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.1549595234.0000000006400000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.1548316766.0000000005880000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.1549256938.0000000006310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.1542961150.00000000033E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.1549623358.0000000006410000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.1549559818.00000000063F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.1549207548.0000000006300000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.1540039198.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.1540039198.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.1549715165.0000000006580000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.1549329638.00000000063B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.1548612305.0000000005BA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.1549463152.00000000063D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.1549775865.00000000067A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: RegSvcs.exe PID: 6232, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: RegSvcs.exe PID: 6232, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.RegSvcs.exe.63b0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.67a0000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.6420000.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.6300000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.63d0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.6300000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.67f0000.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.63f0000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.67f0000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.6400000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.6420000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.6310000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.6310000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.67c0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.6410000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.6580000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.5ba0000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.63d0000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.5ba0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.63f0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.5880000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.6580000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.RegSvcs.exe.6410000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.67c0000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.67a0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_08B213D2 NtQuerySystemInformation,0_2_08B213D2
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_08B21397 NtQuerySystemInformation,0_2_08B21397
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 5_2_056C1806 NtQuerySystemInformation,5_2_056C1806
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 5_2_056C17CB NtQuerySystemInformation,5_2_056C17CB
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_00EC22DB0_2_00EC22DB
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_031037680_2_03103768
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_031097890_2_03109789
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_0310E2100_2_0310E210
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_0310E6980_2_0310E698
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_031065590_2_03106559
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_031054580_2_03105458
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_03105C480_2_03105C48
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_0310DB180_2_0310DB18
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_03108F520_2_03108F52
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_0310CB700_2_0310CB70
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_031053D50_2_031053D5
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_031096100_2_03109610
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_031096000_2_03109600
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_031082080_2_03108208
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_0310A22D0_2_0310A22D
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_031092580_2_03109258
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_031092680_2_03109268
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_031081F80_2_031081F8
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_031094120_2_03109412
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_0310541B0_2_0310541B
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_031098370_2_03109837
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_0310543D0_2_0310543D
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_031094200_2_03109420
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_0310985F0_2_0310985F
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_031098480_2_03109848
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_0310608A0_2_0310608A
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_031098B60_2_031098B6
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_0310D0A00_2_0310D0A0
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_031048A90_2_031048A9
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_056319A00_2_056319A0
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_056338C50_2_056338C5
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_05631CD80_2_05631CD8
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_05630AA80_2_05630AA8
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_056339DB0_2_056339DB
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_056310700_2_05631070
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_05631EE80_2_05631EE8
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_05631ED90_2_05631ED9
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_05630A980_2_05630A98
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 5_2_065846845_2_06584684
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 5_2_055A38505_2_055A3850
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 5_2_055A88285_2_055A8828
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 5_2_055AB0F85_2_055AB0F8
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 5_2_055A2FA85_2_055A2FA8
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 5_2_055A23A05_2_055A23A0
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 5_2_055A306F5_2_055A306F
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 5_2_055A94285_2_055A9428
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 5_2_055A9CD05_2_055A9CD0
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 5_2_055A94EF5_2_055A94EF
    Source: LKVQYCZZkBgadMX.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: &startupname&.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: LKVQYCZZkBgadMX.exeBinary or memory string: OriginalFilename vs LKVQYCZZkBgadMX.exe
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000002.1320576856.0000000008C70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs LKVQYCZZkBgadMX.exe
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000002.1323016798.0000000009770000.00000002.00000001.sdmpBinary or memory string: originalfilename vs LKVQYCZZkBgadMX.exe
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000002.1323016798.0000000009770000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs LKVQYCZZkBgadMX.exe
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000000.1273107571.0000000000EC2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamedVhXF.exe< vs LKVQYCZZkBgadMX.exe
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000002.1321434704.0000000008E70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoreal.exe4 vs LKVQYCZZkBgadMX.exe
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000002.1322389487.0000000009670000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs LKVQYCZZkBgadMX.exe
    Source: LKVQYCZZkBgadMX.exe, 00000000.00000002.1312801777.00000000035A1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparta.dll. vs LKVQYCZZkBgadMX.exe
    Source: LKVQYCZZkBgadMX.exeBinary or memory string: OriginalFilenamedVhXF.exe< vs LKVQYCZZkBgadMX.exe
    Source: LKVQYCZZkBgadMX.exe, type: SAMPLEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000000.00000002.1315271968.0000000004654000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.1315271968.0000000004654000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.1549823607.00000000067C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.1549823607.00000000067C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000005.00000002.1549666259.0000000006420000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.1549666259.0000000006420000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000005.00000002.1549854984.00000000067F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.1549854984.00000000067F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000005.00000002.1549595234.0000000006400000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.1549595234.0000000006400000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000000.00000000.1273107571.0000000000EC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000005.00000002.1548316766.0000000005880000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.1548316766.0000000005880000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000005.00000002.1549256938.0000000006310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.1549256938.0000000006310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000005.00000002.1542961150.00000000033E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.1311254396.0000000000EC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000005.00000002.1549623358.0000000006410000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.1549623358.0000000006410000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000005.00000002.1549559818.00000000063F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.1549559818.00000000063F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000005.00000002.1549207548.0000000006300000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.1549207548.0000000006300000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000005.00000002.1540039198.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.1540039198.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.1549715165.0000000006580000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.1549715165.0000000006580000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000005.00000002.1549329638.00000000063B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.1549329638.00000000063B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000005.00000002.1548612305.0000000005BA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.1548612305.0000000005BA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000005.00000002.1549463152.00000000063D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.1549463152.00000000063D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000005.00000002.1549775865.00000000067A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.1549775865.00000000067A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: Process Memory Space: LKVQYCZZkBgadMX.exe PID: 6888, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: Process Memory Space: RegSvcs.exe PID: 6232, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: RegSvcs.exe PID: 6232, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: C:\Users\user\AppData\Local\Temp\&startupname&.exe, type: DROPPEDMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 5.2.RegSvcs.exe.63b0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.63b0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.RegSvcs.exe.67a0000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.67a0000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.RegSvcs.exe.6420000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.6420000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.RegSvcs.exe.6300000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.6300000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.RegSvcs.exe.63d0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.63d0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.RegSvcs.exe.6300000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.6300000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.RegSvcs.exe.67f0000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.67f0000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.RegSvcs.exe.63f0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.63f0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.RegSvcs.exe.67f0000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.67f0000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.RegSvcs.exe.6400000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.6400000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.RegSvcs.exe.6420000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.6420000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.RegSvcs.exe.6310000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.6310000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.RegSvcs.exe.6310000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.6310000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.RegSvcs.exe.67c0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.67c0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.RegSvcs.exe.6410000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.6410000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.RegSvcs.exe.6580000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.6580000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.RegSvcs.exe.5ba0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.5ba0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.RegSvcs.exe.63d0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.63d0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.RegSvcs.exe.5ba0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.5ba0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.RegSvcs.exe.63f0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.63f0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.RegSvcs.exe.5880000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.5880000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.RegSvcs.exe.6580000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.6580000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.RegSvcs.exe.6410000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.6410000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.RegSvcs.exe.67c0000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.67c0000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.RegSvcs.exe.67a0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.67a0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.LKVQYCZZkBgadMX.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0.0.LKVQYCZZkBgadMX.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: LKVQYCZZkBgadMX.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: &startupname&.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: 5.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 5.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 5.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: classification engineClassification label: mal100.troj.evad.winEXE@10/11@0/1
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_08B20ECA AdjustTokenPrivileges,0_2_08B20ECA
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeCode function: 0_2_08B20E93 AdjustTokenPrivileges,0_2_08B20E93
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 5_2_056C15C6 AdjustTokenPrivileges,5_2_056C15C6
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 5_2_056C158F AdjustTokenPrivileges,5_2_056C158F
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\LKVQYCZZkBgadMX.exe.logJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5980:120:WilError_01
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_01
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{b906c32a-7c7b-408f-aea8-c2cf051540c7}
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeFile created: C:\Users\user\AppData\Local\Temp\&startupname&.exeJump to behavior
    Source: LKVQYCZZkBgadMX.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeFile read: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\LKVQYCZZkBgadMX.exe 'C:\Users\user\Desktop\LKVQYCZZkBgadMX.exe'
    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpD88A.tmp'