Loading ...

Play interactive tourEdit tour

Analysis Report NXKfWP9SPF0XHRu.exe

Overview

General Information

Sample Name:NXKfWP9SPF0XHRu.exe
Analysis ID:319657
MD5:444332a61d888ac4f80db03b3c2129e9
SHA1:5d518f814c09b15b35cd9ba5d20d0892bd8ef90b
SHA256:611c893208d8bf06031da708a44ec749b89b069ad1e84c14625b02bccb4998a0
Tags:ESPexegeoNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • NXKfWP9SPF0XHRu.exe (PID: 5952 cmdline: 'C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe' MD5: 444332A61D888AC4F80DB03B3C2129E9)
    • schtasks.exe (PID: 6052 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ynSazlVxDpCRe' /XML 'C:\Users\user\AppData\Local\Temp\tmp10AA.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x24f68d:$x1: NanoCore.ClientPluginHost
    • 0x24f6ca:$x2: IClientNetworkHost
    • 0x2531fd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.NXKfWP9SPF0XHRu.exe.5710000.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xd9ad:$x1: NanoCore.ClientPluginHost
      • 0xd9da:$x2: IClientNetworkHost
      3.2.NXKfWP9SPF0XHRu.exe.5710000.5.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xd9ad:$x2: NanoCore.ClientPluginHost
      • 0xea88:$s4: PipeCreated
      • 0xd9c7:$s5: IClientLoggingHost
      3.2.NXKfWP9SPF0XHRu.exe.5710000.5.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        3.2.NXKfWP9SPF0XHRu.exe.5710000.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xf7ad:$x1: NanoCore.ClientPluginHost
        • 0xf7da:$x2: IClientNetworkHost
        3.2.NXKfWP9SPF0XHRu.exe.5710000.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xf7ad:$x2: NanoCore.ClientPluginHost
        • 0x10888:$s4: PipeCreated
        • 0xf7c7:$s5: IClientLoggingHost
        Click to see the 7 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe, ProcessId: 768, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ynSazlVxDpCRe' /XML 'C:\Users\user\AppData\Local\Temp\tmp10AA.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ynSazlVxDpCRe' /XML 'C:\Users\user\AppData\Local\Temp\tmp10AA.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe' , ParentImage: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe, ParentProcessId: 5952, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ynSazlVxDpCRe' /XML 'C:\Users\user\AppData\Local\Temp\tmp10AA.tmp', ProcessId: 6052

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\ynSazlVxDpCRe.exeReversingLabs: Detection: 16%
        Source: C:\Users\user\AppData\Roaming\ynSazlVxDpCRe.exeReversingLabs: Detection: 16%
        Multi AV Scanner detection for submitted fileShow sources
        Source: NXKfWP9SPF0XHRu.exeReversingLabs: Detection: 16%
        Source: NXKfWP9SPF0XHRu.exeReversingLabs: Detection: 16%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.511185145.0000000003EE7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 5952, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 768, type: MEMORY
        Source: Yara matchFile source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, type: UNPACKEDPE
        Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 4x nop then jmp 05495DF9h0_2_054950A7
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 4x nop then jmp 05495DF9h0_2_054950A7
        Source: global trafficTCP traffic: 192.168.2.7:49707 -> 23.105.131.214:4040
        Source: global trafficTCP traffic: 192.168.2.7:49707 -> 23.105.131.214:4040
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.214
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp, NXKfWP9SPF0XHRu.exe, 00000000.00000003.239916983.0000000004C74000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comadi
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240460926.0000000004C6B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comefaD
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comM.TTFh
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255001568.0000000004C60000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdE
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdL
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed)
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comituF
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlicF
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoa
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp, NXKfWP9SPF0XHRu.exe, 00000000.00000003.239663209.0000000004C70000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.239663209.0000000004C70000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp, NXKfWP9SPF0XHRu.exe, 00000000.00000003.240252277.0000000004C6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240762052.0000000004C6A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240460926.0000000004C6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/7
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240252277.0000000004C6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Bold
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/E
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/h
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp, NXKfWP9SPF0XHRu.exe, 00000000.00000003.240460926.0000000004C6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240678890.0000000004C69000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/)
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/7
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240460926.0000000004C6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/h
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/roso
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/v
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240460926.0000000004C6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vvU
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp, NXKfWP9SPF0XHRu.exe, 00000000.00000003.239916983.0000000004C74000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comadi
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240460926.0000000004C6B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comefaD
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comM.TTFh
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255001568.0000000004C60000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdE
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdL
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed)
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comituF
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlicF
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.241684541.0000000004C6A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoa
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmp, NXKfWP9SPF0XHRu.exe, 00000000.00000003.239663209.0000000004C70000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.239663209.0000000004C70000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp, NXKfWP9SPF0XHRu.exe, 00000000.00000003.240252277.0000000004C6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240762052.0000000004C6A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240460926.0000000004C6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/7
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240252277.0000000004C6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Bold
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/E
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/h
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmp, NXKfWP9SPF0XHRu.exe, 00000000.00000003.240460926.0000000004C6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240678890.0000000004C69000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/)
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/7
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240460926.0000000004C6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/h
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/roso
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240900347.0000000004C68000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/v
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000003.240460926.0000000004C6B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vvU
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.255243254.0000000004E72000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.250650891.00000000008D8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.250650891.00000000008D8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices
        Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.511185145.0000000003EE7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 5952, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 768, type: MEMORY
        Source: Yara matchFile source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.511185145.0000000003EE7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.512006874.0000000005200000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 5952, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 5952, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 768, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 768, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.NXKfWP9SPF0XHRu.exe.5200000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.511185145.0000000003EE7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.512006874.0000000005200000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 5952, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 5952, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 768, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 768, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.NXKfWP9SPF0XHRu.exe.5200000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_05411756 NtQuerySystemInformation,0_2_05411756
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_05411756 NtQuerySystemInformation,0_2_05411756
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 3_2_0504116A NtQuerySystemInformation,3_2_0504116A
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 3_2_0504112F NtQuerySystemInformation,3_2_0504112F
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A74C880_2_04A74C88
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A7D8C00_2_04A7D8C0
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A7A2380_2_04A7A238
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A787A00_2_04A787A0
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A711F80_2_04A711F8
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A71B210_2_04A71B21
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A70B180_2_04A70B18
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A729780_2_04A72978
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A74AA00_2_04A74AA0
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A740B80_2_04A740B8
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A728880_2_04A72888
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A794880_2_04A79488
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A74A900_2_04A74A90
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A700990_2_04A70099
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A746E00_2_04A746E0
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A740C80_2_04A740C8
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A746D00_2_04A746D0
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A716200_2_04A71620
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A736610_2_04A73661
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A74C770_2_04A74C77
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A736700_2_04A73670
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A70A7F0_2_04A70A7F
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A748400_2_04A74840
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A748500_2_04A74850
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A787910_2_04A78791
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A781000_2_04A78100
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A781100_2_04A78110
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A78B480_2_04A78B48
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A743580_2_04A74358
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_05493A5C0_2_05493A5C
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_054950A70_2_054950A7
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_05493F3C0_2_05493F3C
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_05493ABA0_2_05493ABA
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A74C880_2_04A74C88
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A7D8C00_2_04A7D8C0
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A7A2380_2_04A7A238
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A787A00_2_04A787A0
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A711F80_2_04A711F8
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A71B210_2_04A71B21
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A70B180_2_04A70B18
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A729780_2_04A72978
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A74AA00_2_04A74AA0
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A740B80_2_04A740B8
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A728880_2_04A72888
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A794880_2_04A79488
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A74A900_2_04A74A90
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A700990_2_04A70099
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A746E00_2_04A746E0
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A740C80_2_04A740C8
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A746D00_2_04A746D0
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A716200_2_04A71620
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A736610_2_04A73661
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A74C770_2_04A74C77
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A736700_2_04A73670
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A70A7F0_2_04A70A7F
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A748400_2_04A74840
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A748500_2_04A74850
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A787910_2_04A78791
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A781000_2_04A78100
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A781100_2_04A78110
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A78B480_2_04A78B48
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_04A743580_2_04A74358
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_05493A5C0_2_05493A5C
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_054950A70_2_054950A7
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_05493F3C0_2_05493F3C
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_05493ABA0_2_05493ABA
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 3_2_02AF2FA83_2_02AF2FA8
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 3_2_02AF23A03_2_02AF23A0
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 3_2_02AFACC83_2_02AFACC8
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 3_2_02AF90683_2_02AF9068
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 3_2_02AF84683_2_02AF8468
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 3_2_02AF38503_2_02AF3850
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 3_2_02AF306F3_2_02AF306F
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 3_2_02AF912F3_2_02AF912F
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 3_2_02AF99103_2_02AF9910
        Source: NXKfWP9SPF0XHRu.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: ynSazlVxDpCRe.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: NXKfWP9SPF0XHRu.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: ynSazlVxDpCRe.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: NXKfWP9SPF0XHRu.exeBinary or memory string: OriginalFilename vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.257068238.0000000005B30000.00000002.00000001.sdmpBinary or memory string: originalfilename vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.257068238.0000000005B30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.256985235.0000000005A50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.258006053.00000000070C0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.257045055.0000000005AC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.509434462.0000000002EA1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.512537276.0000000005FC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exe, 00000003.00000000.248853862.0000000000810000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.511937278.0000000005190000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.507771480.0000000002B40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exeBinary or memory string: OriginalFilename vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exeBinary or memory string: OriginalFilename vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.257068238.0000000005B30000.00000002.00000001.sdmpBinary or memory string: originalfilename vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.257068238.0000000005B30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.256985235.0000000005A50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.258006053.00000000070C0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.257045055.0000000005AC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.509434462.0000000002EA1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.512537276.0000000005FC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exe, 00000003.00000000.248853862.0000000000810000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.511937278.0000000005190000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exe, 00000003.00000002.507771480.0000000002B40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs NXKfWP9SPF0XHRu.exe
        Source: NXKfWP9SPF0XHRu.exeBinary or memory string: OriginalFilename vs NXKfWP9SPF0XHRu.exe
        Source: 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.511185145.0000000003EE7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.512006874.0000000005200000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.512006874.0000000005200000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 5952, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 5952, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 768, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 768, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.NXKfWP9SPF0XHRu.exe.5200000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.NXKfWP9SPF0XHRu.exe.5200000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.512257767.0000000005710000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.253897211.0000000003B42000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.253518250.000000000398D000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.511185145.0000000003EE7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.505689991.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.512006874.0000000005200000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.512006874.0000000005200000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 5952, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 5952, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 768, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: NXKfWP9SPF0XHRu.exe PID: 768, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.NXKfWP9SPF0XHRu.exe.5710000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.NXKfWP9SPF0XHRu.exe.5200000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.NXKfWP9SPF0XHRu.exe.5200000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@6/4@0/1
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_054115DA AdjustTokenPrivileges,0_2_054115DA
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 0_2_054115DA AdjustTokenPrivileges,0_2_054115DA
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 3_2_05040F2A AdjustTokenPrivileges,3_2_05040F2A
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeCode function: 3_2_05040EF3 AdjustTokenPrivileges,3_2_05040EF3
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeFile created: C:\Users\user\AppData\Roaming\ynSazlVxDpCRe.exeJump to behavior
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeFile created: C:\Users\user\AppData\Roaming\ynSazlVxDpCRe.exeJump to behavior
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeMutant created: \Sessions\1\BaseNamedObjects\wOaZzcrdioFDiVf
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{9f1637ca-7a2a-4aa5-bf17-8e7b7d705552}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_01
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeMutant created: \Sessions\1\BaseNamedObjects\wOaZzcrdioFDiVf
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{9f1637ca-7a2a-4aa5-bf17-8e7b7d705552}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_01
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeFile created: C:\Users\user\AppData\Local\Temp\tmp10AA.tmpJump to behavior
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeFile created: C:\Users\user\AppData\Local\Temp\tmp10AA.tmpJump to behavior
        Source: NXKfWP9SPF0XHRu.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: NXKfWP9SPF0XHRu.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: NXKfWP9SPF0XHRu.exeReversingLabs: Detection: 16%
        Source: NXKfWP9SPF0XHRu.exeReversingLabs: Detection: 16%
        Source: NXKfWP9SPF0XHRu.exeString found in binary or memory: icons8-Add-16
        Source: NXKfWP9SPF0XHRu.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
        Source: NXKfWP9SPF0XHRu.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
        Source: NXKfWP9SPF0XHRu.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
        Source: NXKfWP9SPF0XHRu.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
        Source: NXKfWP9SPF0XHRu.exeString found in binary or memory: icons8-Add-16
        Source: NXKfWP9SPF0XHRu.exeString found in binary or memory: icons8-Add-16
        Source: NXKfWP9SPF0XHRu.exeString found in binary or memory: icons8-Add-16
        Source: NXKfWP9SPF0XHRu.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
        Source: NXKfWP9SPF0XHRu.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
        Source: NXKfWP9SPF0XHRu.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
        Source: NXKfWP9SPF0XHRu.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
        Source: NXKfWP9SPF0XHRu.exeString found in binary or memory: icons8-Add-16
        Source: NXKfWP9SPF0XHRu.exeString found in binary or memory: icons8-Add-16
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeFile read: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeJump to behavior
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeFile read: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe 'C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ynSazlVxDpCRe' /XML 'C:\Users\user\AppData\Local\Temp\tmp10AA.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe {path}
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ynSazlVxDpCRe' /XML 'C:\Users\user\AppData\Local\Temp\tmp10AA.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeProcess created: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe {path}Jump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe 'C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ynSazlVxDpCRe' /XML 'C:\Users\user\AppData\Local\Temp\tmp10AA.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe {path}
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ynSazlVxDpCRe' /XML 'C:\Users\user\AppData\Local\Temp\tmp10AA.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeProcess created: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: NXKfWP9SPF0XHRu.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: NXKfWP9SPF0XHRu.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: NXKfWP9SPF0XHRu.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
        Source: NXKfWP9SPF0XHRu.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
        Source: NXKfWP9SPF0XHRu.exeStatic file information: File size 1117184 > 1048576
        Source: NXKfWP9SPF0XHRu.exeStatic file information: File size 1117184 > 1048576
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: C:\Users\user\Desktop\NXKfWP9SPF0XHRu.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: NXKfWP9SPF0XHRu.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x10c600
        Source: NXKfWP9SPF0XHRu.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x10c600
        Source: NXKfWP9SPF0XHRu.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: NXKfWP9SPF0XHRu.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: mscorrc.pdb source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.256985235.0000000005A50000.00000002.00000001.sdmp, NXKfWP9SPF0XHRu.exe, 00000003.00000002.511937278.0000000005190000.00000002.00000001.sdmp
        Source: Binary string: mscorrc.pdb source: NXKfWP9SPF0XHRu.exe, 00000000.00000002.256985235.0000000005A50000.00000002.00000001.sdmp, NXKfWP9SPF0XHRu.exe, 00000003.00000002.511937278.0000000005190000.00000002.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.2.NXKfWP9SPF0XHRu.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])