Loading ...

Play interactive tourEdit tour

Analysis Report SviRsoKz6E.exe

Overview

General Information

Sample Name:SviRsoKz6E.exe
Analysis ID:381760
MD5:5d59200d61ba34e07e26132f5acd9619
SHA1:8fb59154fe08e09b2e9c2f817157b5bc0ccf1dae
SHA256:95f117deabf4aeb36402033a7ca35e717f7a31c8bf9330acbf8934fb483c5d3e
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses dynamic DNS services
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SviRsoKz6E.exe (PID: 2212 cmdline: 'C:\Users\user\Desktop\SviRsoKz6E.exe' MD5: 5D59200D61BA34E07E26132F5ACD9619)
    • SviRsoKz6E.exe (PID: 632 cmdline: 'C:\Users\user\Desktop\SviRsoKz6E.exe' MD5: 5D59200D61BA34E07E26132F5ACD9619)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "6a8cfd5d-4b59-4ef3-89b5-b939bcb2", "Group": "Faggy", "Domain1": "justinalwhitedd554.duckdns.org", "Domain2": "paymentmaba.sinsincity.com", "Port": 7632, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000001.198223506.0000000000414000.00000040.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x111e5:$x1: NanoCore.ClientPluginHost
  • 0x11222:$x2: IClientNetworkHost
  • 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000001.198223506.0000000000414000.00000040.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000002.00000001.198223506.0000000000414000.00000040.00020000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x10f4d:$a: NanoCore
    • 0x10f5d:$a: NanoCore
    • 0x11191:$a: NanoCore
    • 0x111a5:$a: NanoCore
    • 0x111e5:$a: NanoCore
    • 0x10fac:$b: ClientPlugin
    • 0x111ae:$b: ClientPlugin
    • 0x111ee:$b: ClientPlugin
    • 0x110d3:$c: ProjectData
    • 0x11ada:$d: DESCrypto
    • 0x194a6:$e: KeepAlive
    • 0x17494:$g: LogClientMessage
    • 0x1368f:$i: get_Connected
    • 0x11e10:$j: #=q
    • 0x11e40:$j: #=q
    • 0x11e5c:$j: #=q
    • 0x11e8c:$j: #=q
    • 0x11ea8:$j: #=q
    • 0x11ec4:$j: #=q
    • 0x11ef4:$j: #=q
    • 0x11f10:$j: #=q
    00000002.00000002.465661471.0000000004940000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000002.00000002.465661471.0000000004940000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    Click to see the 29 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    2.2.SviRsoKz6E.exe.56a0000.9.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    2.2.SviRsoKz6E.exe.56a0000.9.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    2.2.SviRsoKz6E.exe.4f70000.7.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    2.2.SviRsoKz6E.exe.4f70000.7.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    2.2.SviRsoKz6E.exe.4f70000.7.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 81 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SviRsoKz6E.exe, ProcessId: 632, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000002.00000002.463943126.00000000034F3000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6a8cfd5d-4b59-4ef3-89b5-b939bcb2", "Group": "Faggy", "Domain1": "justinalwhitedd554.duckdns.org", "Domain2": "paymentmaba.sinsincity.com", "Port": 7632, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\nst2F82.tmp\tkmg9lz0c84fk1.dllVirustotal: Detection: 20%Perma Link
      Source: C:\Users\user\AppData\Local\Temp\nst2F82.tmp\tkmg9lz0c84fk1.dllReversingLabs: Detection: 48%
      Source: C:\Users\user\AppData\Roaming\abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz\Adobe.exeVirustotal: Detection: 39%Perma Link
      Source: C:\Users\user\AppData\Roaming\abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz\Adobe.exeReversingLabs: Detection: 72%
      Multi AV Scanner detection for submitted fileShow sources
      Source: SviRsoKz6E.exeVirustotal: Detection: 39%Perma Link
      Source: SviRsoKz6E.exeReversingLabs: Detection: 72%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000002.00000001.198223506.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.465661471.0000000004940000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.201495847.00000000033A0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.465992786.0000000004F72000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.461711945.0000000002461000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.466862235.00000000056B0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.460275613.000000000064A000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.459577759.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.463943126.00000000034F3000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: SviRsoKz6E.exe PID: 2212, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: SviRsoKz6E.exe PID: 632, type: MEMORY
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.4f70000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.34ffad1.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.34fb4a8.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.SviRsoKz6E.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.415058.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.34fb4a8.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.SviRsoKz6E.exe.33b1458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.4940000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.664350.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.SviRsoKz6E.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.SviRsoKz6E.exe.33a0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.SviRsoKz6E.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.56b0000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.SviRsoKz6E.exe.33a0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.56b0000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.SviRsoKz6E.exe.33b1458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.4940000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.415058.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.56b4629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.664350.2.raw.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz\Adobe.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: SviRsoKz6E.exeJoe Sandbox ML: detected
      Source: 2.2.SviRsoKz6E.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 2.2.SviRsoKz6E.exe.4f70000.7.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 2.1.SviRsoKz6E.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 2.2.SviRsoKz6E.exe.56b0000.11.unpackAvira: Label: TR/NanoCore.fadte
      Source: 0.2.SviRsoKz6E.exe.30f0000.3.unpackAvira: Label: TR/Patched.Ren.Gen

      Compliance:

      barindex
      Detected unpacking (overwrites its own PE header)Show sources
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeUnpacked PE file: 2.2.SviRsoKz6E.exe.400000.1.unpack
      Source: SviRsoKz6E.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: SviRsoKz6E.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: SviRsoKz6E.exe, 00000002.00000002.460484829.00000000006B5000.00000004.00000020.sdmp
      Source: Binary string: wntdll.pdbUGP source: SviRsoKz6E.exe, 00000000.00000003.197706489.00000000035D0000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: SviRsoKz6E.exe, 00000000.00000003.197706489.00000000035D0000.00000004.00000001.sdmp
      Source: Binary string: ll\System.pdb source: SviRsoKz6E.exe, 00000002.00000003.288689683.0000000005B4B000.00000004.00000001.sdmp
      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: SviRsoKz6E.exe, 00000002.00000002.460275613.000000000064A000.00000004.00000020.sdmp
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 0_2_00406435 FindFirstFileA,FindClose,0_2_00406435
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 0_2_00405889 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405889
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_00404A29 FindFirstFileExW,2_2_00404A29

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49702 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49703 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49704 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49711 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49723 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49732 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49735 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49737 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49739 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49748 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49749 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49750 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49751 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49752 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49755 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49756 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49757 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49758 -> 104.37.1.32:7632
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: justinalwhitedd554.duckdns.org
      Source: Malware configuration extractorURLs: paymentmaba.sinsincity.com
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: justinalwhitedd554.duckdns.org
      Source: global trafficTCP traffic: 192.168.2.3:49702 -> 104.37.1.32:7632
      Source: Joe Sandbox ViewASN Name: SOFTLAYERUS SOFTLAYERUS
      Source: unknownDNS traffic detected: queries for: justinalwhitedd554.duckdns.org
      Source: SviRsoKz6E.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
      Source: SviRsoKz6E.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 0_2_00405326 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405326
      Source: SviRsoKz6E.exe, 00000002.00000002.466862235.00000000056B0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000002.00000001.198223506.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.465661471.0000000004940000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.201495847.00000000033A0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.465992786.0000000004F72000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.461711945.0000000002461000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.466862235.00000000056B0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.460275613.000000000064A000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.459577759.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.463943126.00000000034F3000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: SviRsoKz6E.exe PID: 2212, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: SviRsoKz6E.exe PID: 632, type: MEMORY
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.4f70000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.34ffad1.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.34fb4a8.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.SviRsoKz6E.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.415058.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.34fb4a8.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.SviRsoKz6E.exe.33b1458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.4940000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.664350.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.SviRsoKz6E.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.SviRsoKz6E.exe.33a0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.SviRsoKz6E.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.56b0000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.SviRsoKz6E.exe.33a0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.56b0000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.SviRsoKz6E.exe.33b1458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.4940000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.415058.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.56b4629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.664350.2.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex