Loading ...

Play interactive tourEdit tour

Analysis Report BFSV-1F(N)_1B-8B_ANSI.exe

Overview

General Information

Sample Name:BFSV-1F(N)_1B-8B_ANSI.exe
Analysis ID:336687
MD5:157d3320cafb9799ed5d996692e8bea7
SHA1:b8dc9d3720b84695bc18a4310a5f34e2603fc829
SHA256:5b474ca6fc8158bd6f14d53bca8962f25db3392dfe324f49ddf376610bd785e4
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Nanocore RAT
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 5812 cmdline: 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe' MD5: 157D3320CAFB9799ED5D996692E8BEA7)
    • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 6560 cmdline: 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe' MD5: 157D3320CAFB9799ED5D996692E8BEA7)
    • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 5748 cmdline: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe MD5: 157D3320CAFB9799ED5D996692E8BEA7)
      • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 5728 cmdline: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe MD5: 157D3320CAFB9799ED5D996692E8BEA7)
      • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 4544 cmdline: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe MD5: 157D3320CAFB9799ED5D996692E8BEA7)
        • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 2228 cmdline: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe MD5: 157D3320CAFB9799ED5D996692E8BEA7)
        • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 6592 cmdline: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe MD5: 157D3320CAFB9799ED5D996692E8BEA7)
          • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 6584 cmdline: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe MD5: 157D3320CAFB9799ED5D996692E8BEA7)
          • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 4944 cmdline: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe MD5: 157D3320CAFB9799ED5D996692E8BEA7)
            • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 6980 cmdline: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe MD5: 157D3320CAFB9799ED5D996692E8BEA7)
            • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 6648 cmdline: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe MD5: 157D3320CAFB9799ED5D996692E8BEA7)
              • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 6884 cmdline: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe MD5: 157D3320CAFB9799ED5D996692E8BEA7)
              • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 6644 cmdline: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe MD5: 157D3320CAFB9799ED5D996692E8BEA7)
                • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 7140 cmdline: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe MD5: 157D3320CAFB9799ED5D996692E8BEA7)
                • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 7100 cmdline: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe MD5: 157D3320CAFB9799ED5D996692E8BEA7)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x215e5:$x1: NanoCore.ClientPluginHost
  • 0x21622:$x2: IClientNetworkHost
  • 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x2135d:$x1: NanoCore Client.exe
  • 0x215e5:$x2: NanoCore.ClientPluginHost
  • 0x22c1e:$s1: PluginCommand
  • 0x22c12:$s2: FileCommand
  • 0x23ac3:$s3: PipeExists
  • 0x2987a:$s4: PipeCreated
  • 0x2160f:$s5: IClientLoggingHost
0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x2134d:$a: NanoCore
    • 0x2135d:$a: NanoCore
    • 0x21591:$a: NanoCore
    • 0x215a5:$a: NanoCore
    • 0x215e5:$a: NanoCore
    • 0x213ac:$b: ClientPlugin
    • 0x215ae:$b: ClientPlugin
    • 0x215ee:$b: ClientPlugin
    • 0x214d3:$c: ProjectData
    • 0x21eda:$d: DESCrypto
    • 0x298a6:$e: KeepAlive
    • 0x27894:$g: LogClientMessage
    • 0x23a8f:$i: get_Connected
    • 0x22210:$j: #=q
    • 0x22240:$j: #=q
    • 0x2225c:$j: #=q
    • 0x2228c:$j: #=q
    • 0x222a8:$j: #=q
    • 0x222c4:$j: #=q
    • 0x222f4:$j: #=q
    • 0x22310:$j: #=q
    00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x215e5:$x1: NanoCore.ClientPluginHost
    • 0x21622:$x2: IClientNetworkHost
    • 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 38 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1d9e5:$x1: NanoCore.ClientPluginHost
    • 0x1da22:$x2: IClientNetworkHost
    • 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x1d75d:$x1: NanoCore Client.exe
    • 0x1d9e5:$x2: NanoCore.ClientPluginHost
    • 0x1f01e:$s1: PluginCommand
    • 0x1f012:$s2: FileCommand
    • 0x1fec3:$s3: PipeExists
    • 0x25c7a:$s4: PipeCreated
    • 0x1da0f:$s5: IClientLoggingHost
    8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x1d74d:$a: NanoCore
      • 0x1d75d:$a: NanoCore
      • 0x1d991:$a: NanoCore
      • 0x1d9a5:$a: NanoCore
      • 0x1d9e5:$a: NanoCore
      • 0x1d7ac:$b: ClientPlugin
      • 0x1d9ae:$b: ClientPlugin
      • 0x1d9ee:$b: ClientPlugin
      • 0x1d8d3:$c: ProjectData
      • 0x1e2da:$d: DESCrypto
      • 0x25ca6:$e: KeepAlive
      • 0x23c94:$g: LogClientMessage
      • 0x1fe8f:$i: get_Connected
      • 0x1e610:$j: #=q
      • 0x1e640:$j: #=q
      • 0x1e65c:$j: #=q
      • 0x1e68c:$j: #=q
      • 0x1e6a8:$j: #=q
      • 0x1e6c4:$j: #=q
      • 0x1e6f4:$j: #=q
      • 0x1e710:$j: #=q
      13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1d9e5:$x1: NanoCore.ClientPluginHost
      • 0x1da22:$x2: IClientNetworkHost
      • 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 51 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: BFSV-1F(N)_1B-8B_ANSI.exeAvira: detected
      Multi AV Scanner detection for submitted fileShow sources
      Source: BFSV-1F(N)_1B-8B_ANSI.exeReversingLabs: Detection: 43%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6648, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5748, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4944, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4544, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6592, type: MEMORY
      Source: Yara matchFile source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.unpack, type: UNPACKEDPE
      Machine Learning detection for sampleShow sources
      Source: BFSV-1F(N)_1B-8B_ANSI.exeJoe Sandbox ML: detected
      Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.c90000.1.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 6.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 7.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 2.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 0.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 10.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 4.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 5.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 3.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 16.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 17.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.2910000.2.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 5.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 8.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.14c0000.1.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 12.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 13.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.d60000.2.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.d60000.1.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.2c40000.2.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 16.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 9.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 12.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 9.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 1.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 7.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 17.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 3.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 1.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: BFSV-1F(N)_1B-8B_ANSI.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: BFSV-1F(N)_1B-8B_ANSI.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: wntdll.pdbUGP source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.656376001.0000000002980000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000002.00000003.661875522.0000000002CD0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000004.00000003.667666790.0000000002ED0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000006.00000003.673425665.00000000030D0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000008.00000003.678621047.0000000002A50000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 0000000A.00000003.687772999.0000000002560000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 0000000D.00000003.695772930.0000000002810000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.656376001.0000000002980000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000002.00000003.661875522.0000000002CD0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000004.00000003.667666790.0000000002ED0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000006.00000003.673425665.00000000030D0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000008.00000003.678621047.0000000002A50000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 0000000A.00000003.687772999.0000000002560000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 0000000D.00000003.695772930.0000000002810000.00000004.00000001.sdmp
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000002.658811495.0000000000E0A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6648, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5748, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4944, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4544, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6592, type: MEMORY
      Source: Yara matchFile source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6648, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6648, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5748, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5748, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4944, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4944, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4544, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4544, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6592, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6592, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_003ED5800_2_003ED580
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 1_2_003ED5801_2_003ED580
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.656792236.0000000002C2F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BFSV-1F(N)_1B-8B_ANSI.exe
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000002.00000003.662135152.0000000002F7F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BFSV-1F(N)_1B-8B_ANSI.exe
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000004.00000003.667765526.0000000002FEF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BFSV-1F(N)_1B-8B_ANSI.exe
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000006.00000003.673368529.000000000337F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BFSV-1F(N)_1B-8B_ANSI.exe
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000008.00000003.678962378.00000000029D6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BFSV-1F(N)_1B-8B_ANSI.exe
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 0000000A.00000003.688343785.000000000280F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BFSV-1F(N)_1B-8B_ANSI.exe
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 0000000D.00000003.695713586.0000000002796000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BFSV-1F(N)_1B-8B_ANSI.exe
      Source: BFSV-1F(N)_1B-8B_ANSI.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6648, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6648, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5748, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5748, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4944, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4944, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4544, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4544, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6592, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6592, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: classification engineClassification label: mal84.troj.winEXE@29/0@0/0
      Source: BFSV-1F(N)_1B-8B_ANSI.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: BFSV-1F(N)_1B-8B_ANSI.exeReversingLabs: Detection: 43%
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeFile read: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe' Jump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeJump to behavior
      Source: BFSV-1F(N)_1B-8B_ANSI.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: wntdll.pdbUGP source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.656376001.0000000002980000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000002.00000003.661875522.0000000002CD0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000004.00000003.667666790.0000000002ED0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000006.00000003.673425665.00000000030D0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000008.00000003.678621047.0000000002A50000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 0000000A.00000003.687772999.0000000002560000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 0000000D.00000003.695772930.0000000002810000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.656376001.0000000002980000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000002.00000003.661875522.0000000002CD0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000004.00000003.667666790.0000000002ED0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000006.00000003.673425665.00000000030D0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000008.00000003.678621047.0000000002A50000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 0000000A.00000003.687772999.0000000002560000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 0000000D.00000003.695772930.0000000002810000.00000004.00000001.sdmp
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00405EC0 push eax; ret 0_2_00405EEE
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 1_2_00405EC0 push eax; ret 1_2_00405EEE
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00405CA0 mov eax, dword ptr fs:[00000030h]0_2_00405CA0
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00B8ECBE mov eax, dword ptr fs:[00000030h]0_2_00B8ECBE
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00B8F5D4 mov eax, dword ptr fs:[00000030h]0_2_00B8F5D4
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00B8F534 mov eax, dword ptr fs:[00000030h]0_2_00B8F534
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00B8F715 mov eax, dword ptr fs:[00000030h]0_2_00B8F715
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00B8F571 mov eax, dword ptr fs:[00000030h]0_2_00B8F571
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 1_2_00405CA0 mov eax, dword ptr fs:[00000030h]1_2_00405CA0
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 2_2_00F5F87D mov eax, dword ptr fs:[00000030h]2_2_00F5F87D
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 2_2_00F5F8E0 mov eax, dword ptr fs:[00000030h]2_2_00F5F8E0
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 2_2_00F5F840 mov eax, dword ptr fs:[00000030h]2_2_00F5F840
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 2_2_00F5EFCA mov eax, dword ptr fs:[00000030h]2_2_00F5EFCA
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 2_2_00F5FA21 mov eax, dword ptr fs:[00000030h]2_2_00F5FA21
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 4_2_00DDF9C1 mov eax, dword ptr fs:[00000030h]4_2_00DDF9C1
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 4_2_00DDEF6A mov eax, dword ptr fs:[00000030h]4_2_00DDEF6A
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 4_2_00DDF7E0 mov eax, dword ptr fs:[00000030h]4_2_00DDF7E0
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 4_2_00DDF81D mov eax, dword ptr fs:[00000030h]4_2_00DDF81D
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 4_2_00DDF880 mov eax, dword ptr fs:[00000030h]4_2_00DDF880
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 6_2_012FF980 mov eax, dword ptr fs:[00000030h]6_2_012FF980
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 6_2_012FF91D mov eax, dword ptr fs:[00000030h]6_2_012FF91D
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 6_2_012FF06A mov eax, dword ptr fs:[00000030h]6_2_012FF06A
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 6_2_012FF8E0 mov eax, dword ptr fs:[00000030h]6_2_012FF8E0
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 6_2_012FFAC1 mov eax, dword ptr fs:[00000030h]6_2_012FFAC1
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 8_2_00B3F529 mov eax, dword ptr fs:[00000030h]8_2_00B3F529
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 8_2_00B3F58C mov eax, dword ptr fs:[00000030h]8_2_00B3F58C
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 8_2_00B3EC76 mov eax, dword ptr fs:[00000030h]8_2_00B3EC76
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 8_2_00B3F4EC mov eax, dword ptr fs:[00000030h]8_2_00B3F4EC
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 8_2_00B3F6CD mov eax, dword ptr fs:[00000030h]8_2_00B3F6CD
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 10_2_0054FB54 mov eax, dword ptr fs:[00000030h]10_2_0054FB54
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 10_2_0054F2DE mov eax, dword ptr fs:[00000030h]10_2_0054F2DE
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 10_2_0054FBF4 mov eax, dword ptr fs:[00000030h]10_2_0054FBF4
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 10_2_0054FB91 mov eax, dword ptr fs:[00000030h]10_2_0054FB91
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 10_2_0054FD35 mov eax, dword ptr fs:[00000030h]10_2_0054FD35
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 13_2_005DFAD4 mov eax, dword ptr fs:[00000030h]13_2_005DFAD4
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 13_2_005DFA71 mov eax, dword ptr fs:[00000030h]13_2_005DFA71
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 13_2_005DFC15 mov eax, dword ptr fs:[00000030h]13_2_005DFC15
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 13_2_005DF1BE mov eax, dword ptr fs:[00000030h]13_2_005DF1BE
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 13_2_005DFA34 mov eax, dword ptr fs:[00000030h]13_2_005DFA34
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe' Jump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeJump to behavior
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeJump to behavior
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 0000000D.00000002.1018992662.0000000001270000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 0000000D.00000002.1018992662.0000000001270000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 0000000D.00000002.1018992662.0000000001270000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 0000000D.00000002.1018992662.0000000001270000.00000002.00000001.sdmpBinary or memory string: Progmanlock

      Stealing of Sensitive Information:

      bar