Loading ...

Play interactive tourEdit tour

Analysis Report z2d6Yt5v.exe

Overview

General Information

Sample Name:z2d6Yt5v.exe
Analysis ID:321423
MD5:9bb6d4f72a348ad47cc97185604f4dd9
SHA1:7384957e8a29f517654fcbd905861574e772d3ed
SHA256:0a170ca414d288bc25ebb5ce92ccd51ff0f62b1479d669172194bf0067601df1
Tags:exenjRat

Most interesting Screenshot:

Detection

njRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected njRat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Njrat
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Netsh Port or Application Allowed
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • z2d6Yt5v.exe (PID: 6072 cmdline: 'C:\Users\user\Desktop\z2d6Yt5v.exe' MD5: 9BB6D4F72A348AD47CC97185604F4DD9)
    • Core Service.exe (PID: 4464 cmdline: 'C:\Users\user\AppData\Local\Temp\Core Service.exe' MD5: 9BB6D4F72A348AD47CC97185604F4DD9)
      • netsh.exe (PID: 5416 cmdline: netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 1124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Core Service.exe (PID: 4276 cmdline: 'C:\Users\user\AppData\Local\Temp\Core Service.exe' .. MD5: 9BB6D4F72A348AD47CC97185604F4DD9)
  • Core Service.exe (PID: 4760 cmdline: 'C:\Users\user\AppData\Local\Temp\Core Service.exe' .. MD5: 9BB6D4F72A348AD47CC97185604F4DD9)
  • Core Service.exe (PID: 6100 cmdline: 'C:\Users\user\AppData\Local\Temp\Core Service.exe' .. MD5: 9BB6D4F72A348AD47CC97185604F4DD9)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
z2d6Yt5v.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
  • 0x4d4a:$x1: cmd.exe /c ping 0 -n 2 & del "
  • 0x4ea2:$s3: Executed As
  • 0x4e84:$s6: Download ERROR
z2d6Yt5v.exeJoeSecurity_NjratYara detected NjratJoe Security
    z2d6Yt5v.exenjrat1Identify njRatBrian Wallace @botnet_hunter
    • 0x4db8:$a1: netsh firewall add allowedprogram
    • 0x4d88:$a2: SEE_MASK_NOZONECHECKS
    • 0x5032:$b1: [TAP]
    • 0x4d4a:$c3: cmd.exe /c ping
    z2d6Yt5v.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x4d88:$reg: SEE_MASK_NOZONECHECKS
    • 0x4e60:$msg: Execute ERROR
    • 0x4ebc:$msg: Execute ERROR
    • 0x4d4a:$ping: cmd.exe /c ping 0 -n 2 & del

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
    • 0x4d4a:$x1: cmd.exe /c ping 0 -n 2 & del "
    • 0x4ea2:$s3: Executed As
    • 0x4e84:$s6: Download ERROR
    C:\Users\user\AppData\Local\Temp\Core Service.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
    • 0x4d4a:$x1: cmd.exe /c ping 0 -n 2 & del "
    • 0x4ea2:$s3: Executed As
    • 0x4e84:$s6: Download ERROR
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeJoeSecurity_NjratYara detected NjratJoe Security
      C:\Users\user\AppData\Local\Temp\Core Service.exeJoeSecurity_NjratYara detected NjratJoe Security
        C:\Users\user\AppData\Local\Temp\Core Service.exenjrat1Identify njRatBrian Wallace @botnet_hunter
        • 0x4db8:$a1: netsh firewall add allowedprogram
        • 0x4d88:$a2: SEE_MASK_NOZONECHECKS
        • 0x5032:$b1: [TAP]
        • 0x4d4a:$c3: cmd.exe /c ping
        Click to see the 3 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
          00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
          • 0x4bb8:$a1: netsh firewall add allowedprogram
          • 0x4b88:$a2: SEE_MASK_NOZONECHECKS
          • 0x4e32:$b1: [TAP]
          • 0x4b4a:$c3: cmd.exe /c ping
          00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
          • 0x4b88:$reg: SEE_MASK_NOZONECHECKS
          • 0x4c60:$msg: Execute ERROR
          • 0x4cbc:$msg: Execute ERROR
          • 0x4b4a:$ping: cmd.exe /c ping 0 -n 2 & del
          0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
            0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmpnjrat1Identify njRatBrian Wallace @botnet_hunter
            • 0x4bb8:$a1: netsh firewall add allowedprogram
            • 0x4b88:$a2: SEE_MASK_NOZONECHECKS
            • 0x4e32:$b1: [TAP]
            • 0x4b4a:$c3: cmd.exe /c ping
            Click to see the 34 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.0.Core Service.exe.8b0000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
            • 0x4d4a:$x1: cmd.exe /c ping 0 -n 2 & del "
            • 0x4ea2:$s3: Executed As
            • 0x4e84:$s6: Download ERROR
            2.0.Core Service.exe.8b0000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
              2.0.Core Service.exe.8b0000.0.unpacknjrat1Identify njRatBrian Wallace @botnet_hunter
              • 0x4db8:$a1: netsh firewall add allowedprogram
              • 0x4d88:$a2: SEE_MASK_NOZONECHECKS
              • 0x5032:$b1: [TAP]
              • 0x4d4a:$c3: cmd.exe /c ping
              2.0.Core Service.exe.8b0000.0.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
              • 0x4d88:$reg: SEE_MASK_NOZONECHECKS
              • 0x4e60:$msg: Execute ERROR
              • 0x4ebc:$msg: Execute ERROR
              • 0x4d4a:$ping: cmd.exe /c ping 0 -n 2 & del
              15.0.Core Service.exe.920000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
              • 0x4d4a:$x1: cmd.exe /c ping 0 -n 2 & del "
              • 0x4ea2:$s3: Executed As
              • 0x4e84:$s6: Download ERROR
              Click to see the 35 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Netsh Port or Application AllowedShow sources
              Source: Process startedAuthor: Markus Neis, Sander Wiebing: Data: Command: netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLE, CommandLine: netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLE, CommandLine|base64offset|contains: l, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\Core Service.exe' , ParentImage: C:\Users\user\AppData\Local\Temp\Core Service.exe, ParentProcessId: 4464, ProcessCommandLine: netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLE, ProcessId: 5416

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: z2d6Yt5v.exeAvira: detected
              Antivirus detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeAvira: detection malicious, Label: TR/Dropper.Gen7
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeAvira: detection malicious, Label: TR/Dropper.Gen7
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeVirustotal: Detection: 84%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeMetadefender: Detection: 89%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeReversingLabs: Detection: 89%
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeVirustotal: Detection: 84%Perma Link
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeMetadefender: Detection: 89%Perma Link
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeReversingLabs: Detection: 89%
              Multi AV Scanner detection for submitted fileShow sources
              Source: z2d6Yt5v.exeVirustotal: Detection: 84%Perma Link
              Source: z2d6Yt5v.exeMetadefender: Detection: 89%Perma Link
              Yara detected NjratShow sources
              Source: Yara matchFile source: z2d6Yt5v.exe, type: SAMPLE
              Source: Yara matchFile source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.461812462.0000000002FB5000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 6100, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: z2d6Yt5v.exe PID: 6072, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4760, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4276, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4464, type: MEMORY
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPED
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPED
              Source: Yara matchFile source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPE
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: z2d6Yt5v.exeJoe Sandbox ML: detected
              Source: 15.2.Core Service.exe.920000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: 15.0.Core Service.exe.920000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: 7.2.Core Service.exe.ec0000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: 2.2.Core Service.exe.8b0000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: 2.0.Core Service.exe.8b0000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: 10.0.Core Service.exe.810000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: 7.0.Core Service.exe.ec0000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: 10.2.Core Service.exe.810000.0.unpackAvira: Label: TR/Dropper.Gen7
              Source: global trafficTCP traffic: 192.168.2.3:49722 -> 81.249.236.18:5553
              Source: unknownDNS traffic detected: queries for: noiphack93.hopto.org

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Contains functionality to log keystrokes (.Net Source)Show sources
              Source: z2d6Yt5v.exe, kl.cs.Net Code: VKCodeToUnicode
              Source: Core Service.exe.0.dr, kl.cs.Net Code: VKCodeToUnicode
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
              Source: af48625ee196d906557ab2d838a9cc2f.exe.2.dr, kl.cs.Net Code: VKCodeToUnicode
              Source: 2.2.Core Service.exe.8b0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
              Source: 2.0.Core Service.exe.8b0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
              Source: 7.2.Core Service.exe.ec0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
              Source: 7.0.Core Service.exe.ec0000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
              Source: 10.0.Core Service.exe.810000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
              Source: 10.2.Core Service.exe.810000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
              Source: 15.2.Core Service.exe.920000.0.unpack, kl.cs.Net Code: VKCodeToUnicode
              Source: 15.0.Core Service.exe.920000.0.unpack, kl.cs.Net Code: VKCodeToUnicode

              E-Banking Fraud:

              barindex
              Yara detected NjratShow sources
              Source: Yara matchFile source: z2d6Yt5v.exe, type: SAMPLE
              Source: Yara matchFile source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.461812462.0000000002FB5000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 6100, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: z2d6Yt5v.exe PID: 6072, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4760, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4276, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Core Service.exe PID: 4464, type: MEMORY
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPED
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPED
              Source: Yara matchFile source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPE

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: z2d6Yt5v.exe, type: SAMPLEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: z2d6Yt5v.exe, type: SAMPLEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: z2d6Yt5v.exe, type: SAMPLEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPEDMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPEDMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
              Source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
              Source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeCode function: 2_2_02B31BBA NtQuerySystemInformation,2_2_02B31BBA
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeCode function: 2_2_02B31B7F NtQuerySystemInformation,2_2_02B31B7F
              Source: z2d6Yt5v.exe, 00000000.00000002.211502125.0000000004E50000.00000002.00000001.sdmpBinary or memory string: originalfilename vs z2d6Yt5v.exe
              Source: z2d6Yt5v.exe, 00000000.00000002.211502125.0000000004E50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs z2d6Yt5v.exe
              Source: z2d6Yt5v.exe, 00000000.00000002.211523908.0000000004E80000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs z2d6Yt5v.exe
              Source: z2d6Yt5v.exe, type: SAMPLEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: z2d6Yt5v.exe, type: SAMPLEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: z2d6Yt5v.exe, type: SAMPLEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 00000002.00000002.459233753.00000000008B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 0000000F.00000002.296934602.0000000000922000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 00000007.00000002.260704512.0000000000EC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 00000000.00000002.210341722.00000000005E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 0000000F.00000000.285488818.0000000000922000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 0000000A.00000000.267967586.0000000000812000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 0000000A.00000002.279339449.0000000000812000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 00000000.00000002.211371973.0000000002C85000.00000004.00000001.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 00000002.00000000.210200221.00000000008B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 00000000.00000000.194561361.00000000005E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 00000007.00000000.249387017.0000000000EC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPEDMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPEDMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe, type: DROPPEDMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 2.0.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 15.0.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 2.2.Core Service.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 7.0.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 15.2.Core Service.exe.920000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 7.2.Core Service.exe.ec0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 10.0.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
              Source: 10.2.Core Service.exe.810000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
              Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@9/5@5/1
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeCode function: 2_2_02B31606 AdjustTokenPrivileges,2_2_02B31606
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeCode function: 2_2_02B315CF AdjustTokenPrivileges,2_2_02B315CF
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\z2d6Yt5v.exe.logJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1124:120:WilError_01
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeMutant created: \Sessions\1\BaseNamedObjects\af48625ee196d906557ab2d838a9cc2f
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeFile created: C:\Users\user\AppData\Local\Temp\Core Service.exeJump to behavior
              Source: z2d6Yt5v.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: z2d6Yt5v.exeVirustotal: Detection: 84%
              Source: z2d6Yt5v.exeMetadefender: Detection: 89%
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeFile read: C:\Users\user\Desktop\z2d6Yt5v.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\z2d6Yt5v.exe 'C:\Users\user\Desktop\z2d6Yt5v.exe'
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Core Service.exe 'C:\Users\user\AppData\Local\Temp\Core Service.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLE
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Core Service.exe 'C:\Users\user\AppData\Local\Temp\Core Service.exe' ..
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Core Service.exe 'C:\Users\user\AppData\Local\Temp\Core Service.exe' ..
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Core Service.exe 'C:\Users\user\AppData\Local\Temp\Core Service.exe' ..
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess created: C:\Users\user\AppData\Local\Temp\Core Service.exe 'C:\Users\user\AppData\Local\Temp\Core Service.exe' Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\AppData\Local\Temp\Core Service.exe' 'Core Service.exe' ENABLEJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
              Source: z2d6Yt5v.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
              Source: z2d6Yt5v.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: z2d6Yt5v.exe, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: Core Service.exe.0.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.z2d6Yt5v.exe.5e0000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.z2d6Yt5v.exe.5e0000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: af48625ee196d906557ab2d838a9cc2f.exe.2.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.2.Core Service.exe.8b0000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.0.Core Service.exe.8b0000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 7.2.Core Service.exe.ec0000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 7.0.Core Service.exe.ec0000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 10.0.Core Service.exe.810000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 10.2.Core Service.exe.810000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 15.2.Core Service.exe.920000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 15.0.Core Service.exe.920000.0.unpack, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeCode function: 0_2_005E5021 push cs; ret 0_2_005E5022
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeCode function: 2_2_008B5021 push cs; ret 2_2_008B5022
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeCode function: 7_2_00EC5021 push cs; ret 7_2_00EC5022
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeCode function: 10_2_00815021 push cs; ret 10_2_00815022
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeCode function: 15_2_00925021 push cs; ret 15_2_00925022
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeJump to dropped file
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeFile created: C:\Users\user\AppData\Local\Temp\Core Service.exeJump to dropped file

              Boot Survival:

              barindex
              Creates autostart registry keys with suspicious namesShow sources
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run af48625ee196d906557ab2d838a9cc2fJump to behavior
              Drops PE files to the startup folderShow sources
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run af48625ee196d906557ab2d838a9cc2fJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run af48625ee196d906557ab2d838a9cc2fJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\z2d6Yt5v.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\Core Service.exeProcess information set: NOOPENFILEERRORBOX