Loading ...

Play interactive tourEdit tour

Analysis Report note-mxm.exe

Overview

General Information

Sample Name:note-mxm.exe
Analysis ID:402865
MD5:116db2200d9be33529615fc98907d4d8
SHA1:29cf6588682aca66c59e41e0517ede00c75cc76d
SHA256:43bc7ada65633263e408152d7b117de464c9d23b2758d96a6822bde9ad27b170
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Startup

  • System is w10x64
  • note-mxm.exe (PID: 6860 cmdline: 'C:\Users\user\Desktop\note-mxm.exe' MD5: 116DB2200D9BE33529615FC98907D4D8)
    • schtasks.exe (PID: 7064 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fGAhpbrTQZcHeY' /XML 'C:\Users\user\AppData\Local\Temp\tmp943B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • note-mxm.exe (PID: 7120 cmdline: C:\Users\user\Desktop\note-mxm.exe MD5: 116DB2200D9BE33529615FC98907D4D8)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "cbea22e5-f897-4039-a352-cfbfd96f", "Group": "chase1", "Domain1": "45.137.22.50", "Domain2": "127.0.0.1", "Port": 4557, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.671855765.0000000003F79000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x11e25d:$x1: NanoCore.ClientPluginHost
  • 0x150a7d:$x1: NanoCore.ClientPluginHost
  • 0x11e29a:$x2: IClientNetworkHost
  • 0x150aba:$x2: IClientNetworkHost
  • 0x121dcd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x1545ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.671855765.0000000003F79000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.671855765.0000000003F79000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x11dfc5:$a: NanoCore
    • 0x11dfd5:$a: NanoCore
    • 0x11e209:$a: NanoCore
    • 0x11e21d:$a: NanoCore
    • 0x11e25d:$a: NanoCore
    • 0x1507e5:$a: NanoCore
    • 0x1507f5:$a: NanoCore
    • 0x150a29:$a: NanoCore
    • 0x150a3d:$a: NanoCore
    • 0x150a7d:$a: NanoCore
    • 0x11e024:$b: ClientPlugin
    • 0x11e226:$b: ClientPlugin
    • 0x11e266:$b: ClientPlugin
    • 0x150844:$b: ClientPlugin
    • 0x150a46:$b: ClientPlugin
    • 0x150a86:$b: ClientPlugin
    • 0x11e14b:$c: ProjectData
    • 0x15096b:$c: ProjectData
    • 0x11eb52:$d: DESCrypto
    • 0x151372:$d: DESCrypto
    • 0x12651e:$e: KeepAlive
    00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      Process Memory Space: note-mxm.exe PID: 6860JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.note-mxm.exe.40870d0.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x429ad:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x429ea:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        • 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        0.2.note-mxm.exe.40870d0.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xff05:$x1: NanoCore Client.exe
        • 0x42725:$x1: NanoCore Client.exe
        • 0x1018d:$x2: NanoCore.ClientPluginHost
        • 0x429ad:$x2: NanoCore.ClientPluginHost
        • 0x117c6:$s1: PluginCommand
        • 0x43fe6:$s1: PluginCommand
        • 0x117ba:$s2: FileCommand
        • 0x43fda:$s2: FileCommand
        • 0x1266b:$s3: PipeExists
        • 0x44e8b:$s3: PipeExists
        • 0x18422:$s4: PipeCreated
        • 0x4ac42:$s4: PipeCreated
        • 0x101b7:$s5: IClientLoggingHost
        • 0x429d7:$s5: IClientLoggingHost
        0.2.note-mxm.exe.40870d0.2.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          0.2.note-mxm.exe.40870d0.2.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xfef5:$a: NanoCore
          • 0xff05:$a: NanoCore
          • 0x10139:$a: NanoCore
          • 0x1014d:$a: NanoCore
          • 0x1018d:$a: NanoCore
          • 0x42715:$a: NanoCore
          • 0x42725:$a: NanoCore
          • 0x42959:$a: NanoCore
          • 0x4296d:$a: NanoCore
          • 0x429ad:$a: NanoCore
          • 0xff54:$b: ClientPlugin
          • 0x10156:$b: ClientPlugin
          • 0x10196:$b: ClientPlugin
          • 0x42774:$b: ClientPlugin
          • 0x42976:$b: ClientPlugin
          • 0x429b6:$b: ClientPlugin
          • 0x1007b:$c: ProjectData
          • 0x4289b:$c: ProjectData
          • 0x10a82:$d: DESCrypto
          • 0x432a2:$d: DESCrypto
          • 0x1844e:$e: KeepAlive
          0.2.note-mxm.exe.40870d0.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0xe38d:$x1: NanoCore.ClientPluginHost
          • 0xe3ca:$x2: IClientNetworkHost
          • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
          Click to see the 3 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\note-mxm.exe, ProcessId: 7120, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fGAhpbrTQZcHeY' /XML 'C:\Users\user\AppData\Local\Temp\tmp943B.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fGAhpbrTQZcHeY' /XML 'C:\Users\user\AppData\Local\Temp\tmp943B.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\note-mxm.exe' , ParentImage: C:\Users\user\Desktop\note-mxm.exe, ParentProcessId: 6860, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fGAhpbrTQZcHeY' /XML 'C:\Users\user\AppData\Local\Temp\tmp943B.tmp', ProcessId: 7064

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0.2.note-mxm.exe.40870d0.2.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "cbea22e5-f897-4039-a352-cfbfd96f", "Group": "chase1", "Domain1": "45.137.22.50", "Domain2": "127.0.0.1", "Port": 4557, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\fGAhpbrTQZcHeY.exeMetadefender: Detection: 27%Perma Link
          Source: C:\Users\user\AppData\Roaming\fGAhpbrTQZcHeY.exeReversingLabs: Detection: 57%
          Multi AV Scanner detection for submitted fileShow sources
          Source: note-mxm.exeMetadefender: Detection: 27%Perma Link
          Source: note-mxm.exeReversingLabs: Detection: 57%
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.671855765.0000000003F79000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.note-mxm.exe.40870d0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.note-mxm.exe.40870d0.2.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\fGAhpbrTQZcHeY.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: note-mxm.exeJoe Sandbox ML: detected
          Source: note-mxm.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: note-mxm.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49742 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49747 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49748 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49751 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49753 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49754 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49758 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49768 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49769 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49775 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49776 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49777 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49778 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49779 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49781 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49783 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49784 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49785 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49786 -> 45.137.22.50:4557
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49787 -> 45.137.22.50:4557
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: 45.137.22.50
          Source: Malware configuration extractorURLs: 127.0.0.1
          Source: global trafficTCP traffic: 192.168.2.4:49742 -> 45.137.22.50:4557
          Source: Joe Sandbox ViewIP Address: 45.137.22.50 45.137.22.50
          Source: Joe Sandbox ViewASN Name: ROOTLAYERNETNL ROOTLAYERNETNL
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
          Source: note-mxm.exe, 00000000.00000002.670657533.0000000002F71000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: note-mxm.exe, 00000000.00000002.670401401.00000000013DA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000000.00000002.671855765.0000000003F79000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.note-mxm.exe.40870d0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.note-mxm.exe.40870d0.2.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.671855765.0000000003F79000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.671855765.0000000003F79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.note-mxm.exe.40870d0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.note-mxm.exe.40870d0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0.2.note-mxm.exe.40870d0.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0.2.note-mxm.exe.40870d0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: C:\Users\user\Desktop\note-mxm.exeCode function: 0_2_00BD6C060_2_00BD6C06
          Source: C:\Users\user\Desktop\note-mxm.exeCode function: 0_2_05536F680_2_05536F68
          Source: C:\Users\user\Desktop\note-mxm.exeCode function: 0_2_055372F00_2_055372F0
          Source: C:\Users\user\Desktop\note-mxm.exeCode function: 0_2_055384910_2_05538491
          Source: C:\Users\user\Desktop\note-mxm.exeCode function: 0_2_055387180_2_05538718
          Source: C:\Users\user\Desktop\note-mxm.exeCode function: 0_2_055383F00_2_055383F0
          Source: C:\Users\user\Desktop\note-mxm.exeCode function: 0_2_0553EB380_2_0553EB38
          Source: C:\Users\user\Desktop\note-mxm.exeCode function: 0_2_0553D5580_2_0553D558
          Source: C:\Users\user\Desktop\note-mxm.exeCode function: 0_2_0553D5480_2_0553D548
          Source: C:\Users\user\Desktop\note-mxm.exeCode function: 0_2_055373480_2_05537348
          Source: C:\Users\user\Desktop\note-mxm.exeCode function: 0_2_0553738D0_2_0553738D
          Source: C:\Users\user\Desktop\note-mxm.exeCode function: 0_2_055378400_2_05537840
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\fGAhpbrTQZcHeY.exe 43BC7ADA65633263E408152D7B117DE464C9D23B2758D96A6822BDE9AD27B170
          Source: note-mxm.exe, 00000000.00000002.670586898.00000000014A9000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameSeekOrigin.exeP vs note-mxm.exe
          Source: note-mxm.exe, 00000000.00000002.672562684.000000000413E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs note-mxm.exe
          Source: note-mxm.exe, 00000000.00000002.676279917.000000000BF20000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs note-mxm.exe
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs note-mxm.exe
          Source: note-mxm.exe, 00000000.00000002.670401401.00000000013DA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs note-mxm.exe
          Source: note-mxm.exe, 00000005.00000003.672190079.0000000006D32000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs note-mxm.exe
          Source: note-mxm.exe, 00000005.00000000.663314117.0000000000F02000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSeekOrigin.exeP vs note-mxm.exe
          Source: note-mxm.exeBinary or memory string: OriginalFilenameSeekOrigin.exeP vs note-mxm.exe
          Source: note-mxm.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 00000000.00000002.671855765.0000000003F79000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.671855765.0000000003F79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.note-mxm.exe.40870d0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.note-mxm.exe.40870d0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.note-mxm.exe.40870d0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0.2.note-mxm.exe.40870d0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0.2.note-mxm.exe.40870d0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.note-mxm.exe.40870d0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: note-mxm.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: fGAhpbrTQZcHeY.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@6/8@0/1
          Source: C:\Users\user\Desktop\note-mxm.exeFile created: C:\Users\user\AppData\Roaming\fGAhpbrTQZcHeY.exeJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeMutant created: \Sessions\1\BaseNamedObjects\TiHcXXCDXKvJ
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_01
          Source: C:\Users\user\Desktop\note-mxm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{cbea22e5-f897-4039-a352-cfbfd96fa986}
          Source: C:\Users\user\Desktop\note-mxm.exeFile created: C:\Users\user\AppData\Local\Temp\tmp943B.tmpJump to behavior
          Source: note-mxm.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\note-mxm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
          Source: note-mxm.exeMetadefender: Detection: 27%
          Source: note-mxm.exeReversingLabs: Detection: 57%
          Source: C:\Users\user\Desktop\note-mxm.exeFile read: C:\Users\user\Desktop\note-mxm.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\note-mxm.exe 'C:\Users\user\Desktop\note-mxm.exe'
          Source: C:\Users\user\Desktop\note-mxm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fGAhpbrTQZcHeY' /XML 'C:\Users\user\AppData\Local\Temp\tmp943B.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\note-mxm.exeProcess created: C:\Users\user\Desktop\note-mxm.exe C:\Users\user\Desktop\note-mxm.exe
          Source: C:\Users\user\Desktop\note-mxm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fGAhpbrTQZcHeY' /XML 'C:\Users\user\AppData\Local\Temp\tmp943B.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess created: C:\Users\user\Desktop\note-mxm.exe C:\Users\user\Desktop\note-mxm.exeJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: note-mxm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: note-mxm.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: initial sampleStatic PE information: section name: .text entropy: 7.83711506914
          Source: initial sampleStatic PE information: section name: .text entropy: 7.83711506914
          Source: C:\Users\user\Desktop\note-mxm.exeFile created: C:\Users\user\AppData\Roaming\fGAhpbrTQZcHeY.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\note-mxm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fGAhpbrTQZcHeY' /XML 'C:\Users\user\AppData\Local\Temp\tmp943B.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\note-mxm.exeFile opened: C:\Users\user\Desktop\note-mxm.exe:Zone.Identifier read attributes | deleteJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: note-mxm.exe PID: 6860, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: note-mxm.exe, 00000000.00000002.670714258.0000000002FBA000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Users\user\Desktop\note-mxm.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeWindow / User API: threadDelayed 4610Jump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeWindow / User API: threadDelayed 4454Jump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeWindow / User API: foregroundWindowGot 637Jump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exeWindow / User API: foregroundWindowGot 782Jump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exe TID: 6864Thread sleep time: -99002s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exe TID: 3840Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\note-mxm.exe TID: 6264Thread sleep time: -12912720851596678s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\note-mxm.exeThread delayed: delay time: 99002Jump to behavior