Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report fixxing.exe

Overview

General Information

Sample Name:fixxing.exe
Analysis ID:403128
MD5:0d50c8e7c3f044099056bfb318f108c6
SHA1:538871e91c9cac38af31bd09fe456843d841f586
SHA256:91f6fc2ae99e090dad56e53c7bf258dd4f43df79ac02a11f2620c31f045fc87f
Tags:exeNanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • fixxing.exe (PID: 5808 cmdline: 'C:\Users\user\Desktop\fixxing.exe' MD5: 0D50C8E7C3F044099056BFB318F108C6)
    • schtasks.exe (PID: 4736 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xQGPeospVmcjdT' /XML 'C:\Users\user\AppData\Local\Temp\tmp86B5.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • fixxing.exe (PID: 4700 cmdline: C:\Users\user\Desktop\fixxing.exe MD5: 0D50C8E7C3F044099056BFB318F108C6)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "cbea22e5-f897-4039-a352-cfbfd96f", "Group": "chase1", "Domain1": "45.137.22.50", "Domain2": "127.0.0.1", "Port": 4557, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.489550549.0000000005F50000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x4bbb:$x1: NanoCore.ClientPluginHost
  • 0x4be5:$x2: IClientNetworkHost
00000005.00000002.489550549.0000000005F50000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x4bbb:$x2: NanoCore.ClientPluginHost
  • 0x6a6b:$s4: PipeCreated
00000005.00000002.488981996.0000000005310000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
00000005.00000002.488981996.0000000005310000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
00000005.00000002.486030987.00000000037A9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    Click to see the 22 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    5.3.fixxing.exe.43962f5.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x605:$x1: NanoCore.ClientPluginHost
    • 0x3bd6:$x1: NanoCore.ClientPluginHost
    • 0x63e:$x2: IClientNetworkHost
    5.3.fixxing.exe.43962f5.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x605:$x2: NanoCore.ClientPluginHost
    • 0x3bd6:$x2: NanoCore.ClientPluginHost
    • 0x720:$s4: PipeCreated
    • 0x3cb4:$s4: PipeCreated
    • 0x61f:$s5: IClientLoggingHost
    • 0x3bf0:$s5: IClientLoggingHost
    5.2.fixxing.exe.42c3717.12.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1deb:$x1: NanoCore.ClientPluginHost
    • 0x1e24:$x2: IClientNetworkHost
    5.2.fixxing.exe.42c3717.12.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x1deb:$x2: NanoCore.ClientPluginHost
    • 0x1f36:$s4: PipeCreated
    • 0x1e05:$s5: IClientLoggingHost
    5.2.fixxing.exe.27d47cc.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x2dbb:$x1: NanoCore.ClientPluginHost
    • 0x2de5:$x2: IClientNetworkHost
    Click to see the 91 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\fixxing.exe, ProcessId: 4700, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
    Sigma detected: Scheduled temp file as task from temp locationShow sources
    Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xQGPeospVmcjdT' /XML 'C:\Users\user\AppData\Local\Temp\tmp86B5.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xQGPeospVmcjdT' /XML 'C:\Users\user\AppData\Local\Temp\tmp86B5.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\fixxing.exe' , ParentImage: C:\Users\user\Desktop\fixxing.exe, ParentProcessId: 5808, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xQGPeospVmcjdT' /XML 'C:\Users\user\AppData\Local\Temp\tmp86B5.tmp', ProcessId: 4736

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000005.00000002.486030987.00000000037A9000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "cbea22e5-f897-4039-a352-cfbfd96f", "Group": "chase1", "Domain1": "45.137.22.50", "Domain2": "127.0.0.1", "Port": 4557, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\xQGPeospVmcjdT.exeMetadefender: Detection: 15%Perma Link
    Source: C:\Users\user\AppData\Roaming\xQGPeospVmcjdT.exeReversingLabs: Detection: 59%
    Multi AV Scanner detection for submitted fileShow sources
    Source: fixxing.exeVirustotal: Detection: 32%Perma Link
    Source: fixxing.exeMetadefender: Detection: 15%Perma Link
    Source: fixxing.exeReversingLabs: Detection: 59%
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000005.00000002.486030987.00000000037A9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.489178214.0000000005A50000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.479168192.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.487530331.0000000004352000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.481816000.0000000002751000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.225554713.00000000038E9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: fixxing.exe PID: 4700, type: MEMORY
    Source: Yara matchFile source: 5.2.fixxing.exe.5a50000.20.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.fixxing.exe.39f4dc8.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.37b8a20.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.5a54629.21.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.4352a0a.14.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.37b8a20.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.4357840.16.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.5a50000.20.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.fixxing.exe.39f4dc8.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.435be69.15.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.4357840.16.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.37bd049.6.raw.unpack, type: UNPACKEDPE
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\xQGPeospVmcjdT.exeJoe Sandbox ML: detected
    Machine Learning detection for sampleShow sources
    Source: fixxing.exeJoe Sandbox ML: detected
    Source: 5.2.fixxing.exe.37b8a20.7.unpackAvira: Label: TR/NanoCore.fadte
    Source: 5.2.fixxing.exe.5a50000.20.unpackAvira: Label: TR/NanoCore.fadte
    Source: 5.2.fixxing.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: fixxing.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: fixxing.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: fixxing.exe, 00000005.00000002.481888361.00000000027BD000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmp

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49724 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49727 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49728 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49732 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49735 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49736 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49737 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49741 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49742 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49748 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49750 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49751 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49752 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49753 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49756 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49757 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49758 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49759 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49761 -> 45.137.22.50:4557
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49762 -> 45.137.22.50:4557
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: 45.137.22.50
    Source: Malware configuration extractorURLs: 127.0.0.1
    Source: global trafficTCP traffic: 192.168.2.3:49724 -> 45.137.22.50:4557
    Source: Joe Sandbox ViewIP Address: 45.137.22.50 45.137.22.50
    Source: Joe Sandbox ViewASN Name: ROOTLAYERNETNL ROOTLAYERNETNL
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: unknownTCP traffic detected without corresponding DNS query: 45.137.22.50
    Source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmpString found in binary or memory: http://google.com
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: fixxing.exeString found in binary or memory: https://admin.neonova.net/index.php
    Source: fixxing.exeString found in binary or memory: https://admin.neonova.net/index.phpKhttps://support.neonova.net/login.phpmhttps://calix.force.com/id
    Source: fixxing.exeString found in binary or memory: https://calix.force.com/idp/login?app=0sp70000000001i#
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
    Source: fixxing.exeString found in binary or memory: https://support.bandwidth.com/hc/en-us/restricted?return_to=https%3A%2F%2Fsupport.bandwidth.com%2Fhc
    Source: fixxing.exeString found in binary or memory: https://support.neonova.net/login.php
    Source: fixxing.exeString found in binary or memory: https://www.rtctel.com/
    Source: fixxing.exe, 00000005.00000002.486030987.00000000037A9000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000005.00000002.486030987.00000000037A9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.489178214.0000000005A50000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.479168192.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.487530331.0000000004352000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.481816000.0000000002751000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.225554713.00000000038E9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: fixxing.exe PID: 4700, type: MEMORY
    Source: Yara matchFile source: 5.2.fixxing.exe.5a50000.20.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.fixxing.exe.39f4dc8.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.37b8a20.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.5a54629.21.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.4352a0a.14.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.37b8a20.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.4357840.16.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.5a50000.20.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.fixxing.exe.39f4dc8.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.435be69.15.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.4357840.16.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.37bd049.6.raw.unpack, type: UNPACKEDPE

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 00000005.00000002.489550549.0000000005F50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.488981996.0000000005310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.489178214.0000000005A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.479168192.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.479168192.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.487530331.0000000004352000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.487434335.0000000004267000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.489813017.0000000006430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.481888361.00000000027BD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.225554713.00000000038E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.225554713.00000000038E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: fixxing.exe PID: 4700, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: fixxing.exe PID: 4700, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.3.fixxing.exe.43962f5.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.42c3717.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.27d47cc.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.42cc546.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.3.fixxing.exe.437c29e.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.277cec4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.42da976.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.5a50000.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.5310000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.fixxing.exe.39f4dc8.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.fixxing.exe.39f4dc8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.fixxing.exe.37b8a20.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.5f50000.23.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.27e0a14.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.4163104.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.5f50000.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.5a54629.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.4163104.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.4352a0a.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.4352a0a.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.fixxing.exe.6430000.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.42c3717.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.42c3717.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.fixxing.exe.37b8a20.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.4357840.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.42da976.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.4171520.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.27d47cc.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.27d47cc.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.fixxing.exe.5a50000.20.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.4171520.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.fixxing.exe.39f4dc8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.fixxing.exe.39f4dc8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.fixxing.exe.435be69.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.fixxing.exe.27f5050.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.27f5050.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.fixxing.exe.41761bf.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.4357840.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.37bd049.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.6430000.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.42cc546.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.27e0a14.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.fixxing.exe.27e0a14.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.3.fixxing.exe.43908c9.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.3.fixxing.exe.43962f5.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.3.fixxing.exe.437c29e.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 0_2_005133FA
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 0_2_027B9970
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 0_2_04F1C988
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 0_2_005137CA
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 0_2_0051379E
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 5_2_004533FA
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 5_2_05F502B0
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 5_2_04CDE480
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 5_2_04CDE471
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 5_2_04CDBBD4
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 5_2_004537CA
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 5_2_0045379E
    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\xQGPeospVmcjdT.exe 91F6FC2AE99E090DAD56E53C7BF258DD4F43DF79AC02A11F2620C31F045FC87F
    Source: fixxing.exe, 00000000.00000002.226009182.0000000003AAA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs fixxing.exe
    Source: fixxing.exe, 00000000.00000002.230620128.000000000B820000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs fixxing.exe
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs fixxing.exe
    Source: fixxing.exe, 00000000.00000002.223906091.00000000005B4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDebugger.exe: vs fixxing.exe
    Source: fixxing.exe, 00000000.00000002.230849145.000000000B910000.00000002.00000001.sdmpBinary or memory string: originalfilename vs fixxing.exe
    Source: fixxing.exe, 00000000.00000002.230849145.000000000B910000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs fixxing.exe
    Source: fixxing.exeBinary or memory string: OriginalFilename vs fixxing.exe
    Source: fixxing.exe, 00000005.00000002.489442157.0000000005CC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs fixxing.exe
    Source: fixxing.exe, 00000005.00000002.489550549.0000000005F50000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs fixxing.exe
    Source: fixxing.exe, 00000005.00000002.487279743.000000000415F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs fixxing.exe
    Source: fixxing.exe, 00000005.00000002.487279743.000000000415F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs fixxing.exe
    Source: fixxing.exe, 00000005.00000002.487279743.000000000415F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs fixxing.exe
    Source: fixxing.exe, 00000005.00000002.487279743.000000000415F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs fixxing.exe
    Source: fixxing.exe, 00000005.00000002.486030987.00000000037A9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs fixxing.exe
    Source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs fixxing.exe
    Source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs fixxing.exe
    Source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs fixxing.exe
    Source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs fixxing.exe
    Source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs fixxing.exe
    Source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs fixxing.exe
    Source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs fixxing.exe
    Source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs fixxing.exe
    Source: fixxing.exe, 00000005.00000002.487530331.0000000004352000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs fixxing.exe
    Source: fixxing.exe, 00000005.00000002.489057068.0000000005960000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs fixxing.exe
    Source: fixxing.exe, 00000005.00000002.479712416.00000000004F4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDebugger.exe: vs fixxing.exe
    Source: fixxing.exe, 00000005.00000002.488685995.0000000004DF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs fixxing.exe
    Source: fixxing.exe, 00000005.00000002.481888361.00000000027BD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs fixxing.exe
    Source: fixxing.exeBinary or memory string: OriginalFilenameDebugger.exe: vs fixxing.exe
    Source: fixxing.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: 00000005.00000002.489550549.0000000005F50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.489550549.0000000005F50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000005.00000002.488981996.0000000005310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.488981996.0000000005310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000005.00000002.489178214.0000000005A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.489178214.0000000005A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.479168192.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.479168192.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.487530331.0000000004352000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.487434335.0000000004267000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.489813017.0000000006430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.489813017.0000000006430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000005.00000002.481888361.00000000027BD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.225554713.00000000038E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.225554713.00000000038E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: fixxing.exe PID: 4700, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: fixxing.exe PID: 4700, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.3.fixxing.exe.43962f5.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.3.fixxing.exe.43962f5.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.42c3717.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.42c3717.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.27d47cc.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.27d47cc.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.42cc546.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.42cc546.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.3.fixxing.exe.437c29e.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.3.fixxing.exe.437c29e.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.277cec4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.277cec4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.42da976.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.42da976.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.5a50000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.5a50000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.5310000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.5310000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.fixxing.exe.39f4dc8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.fixxing.exe.39f4dc8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.fixxing.exe.39f4dc8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.fixxing.exe.37b8a20.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.37b8a20.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.5f50000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.5f50000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.27e0a14.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.27e0a14.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.4163104.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.4163104.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.5f50000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.5f50000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.5a54629.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.5a54629.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.4163104.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.4163104.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.4352a0a.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.4352a0a.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.4352a0a.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.fixxing.exe.6430000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.6430000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.42c3717.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.42c3717.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.42c3717.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.fixxing.exe.37b8a20.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.37b8a20.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.4357840.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.4357840.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.42da976.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.42da976.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.4171520.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.4171520.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.27d47cc.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.27d47cc.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.fixxing.exe.5a50000.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.5a50000.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.4171520.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.4171520.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.fixxing.exe.39f4dc8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.fixxing.exe.39f4dc8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.fixxing.exe.39f4dc8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.fixxing.exe.435be69.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.435be69.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.fixxing.exe.27f5050.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.27f5050.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.fixxing.exe.41761bf.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.41761bf.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.4357840.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.4357840.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.37bd049.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.37bd049.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.6430000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.6430000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.42cc546.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.42cc546.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 5.2.fixxing.exe.27e0a14.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.fixxing.exe.27e0a14.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.3.fixxing.exe.43908c9.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.3.fixxing.exe.43962f5.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.3.fixxing.exe.437c29e.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: fixxing.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: xQGPeospVmcjdT.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: 5.2.fixxing.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 5.2.fixxing.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 5.2.fixxing.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: classification engineClassification label: mal100.troj.evad.winEXE@6/8@0/1
    Source: C:\Users\user\Desktop\fixxing.exeFile created: C:\Users\user\AppData\Roaming\xQGPeospVmcjdT.exeJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeMutant created: \Sessions\1\BaseNamedObjects\CbvNEC
    Source: C:\Users\user\Desktop\fixxing.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{cbea22e5-f897-4039-a352-cfbfd96fa986}
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3412:120:WilError_01
    Source: C:\Users\user\Desktop\fixxing.exeFile created: C:\Users\user\AppData\Local\Temp\tmp86B5.tmpJump to behavior
    Source: fixxing.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\fixxing.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\fixxing.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\fixxing.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\fixxing.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
    Source: fixxing.exeVirustotal: Detection: 32%
    Source: fixxing.exeMetadefender: Detection: 15%
    Source: fixxing.exeReversingLabs: Detection: 59%
    Source: C:\Users\user\Desktop\fixxing.exeFile read: C:\Users\user\Desktop\fixxing.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\fixxing.exe 'C:\Users\user\Desktop\fixxing.exe'
    Source: C:\Users\user\Desktop\fixxing.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xQGPeospVmcjdT' /XML 'C:\Users\user\AppData\Local\Temp\tmp86B5.tmp'
    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\fixxing.exeProcess created: C:\Users\user\Desktop\fixxing.exe C:\Users\user\Desktop\fixxing.exe
    Source: C:\Users\user\Desktop\fixxing.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xQGPeospVmcjdT' /XML 'C:\Users\user\AppData\Local\Temp\tmp86B5.tmp'
    Source: C:\Users\user\Desktop\fixxing.exeProcess created: C:\Users\user\Desktop\fixxing.exe C:\Users\user\Desktop\fixxing.exe
    Source: C:\Users\user\Desktop\fixxing.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
    Source: C:\Users\user\Desktop\fixxing.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
    Source: fixxing.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: fixxing.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: fixxing.exe, 00000005.00000002.481888361.00000000027BD000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmp

    Data Obfuscation:

    barindex
    .NET source code contains potential unpackerShow sources
    Source: 5.2.fixxing.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 5.2.fixxing.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 5_2_04CDE349 pushad ; iretd
    Source: initial sampleStatic PE information: section name: .text entropy: 7.76210474352
    Source: initial sampleStatic PE information: section name: .text entropy: 7.76210474352
    Source: 5.2.fixxing.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 5.2.fixxing.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: C:\Users\user\Desktop\fixxing.exeFile created: C:\Users\user\AppData\Roaming\xQGPeospVmcjdT.exeJump to dropped file

    Boot Survival:

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
    Source: C:\Users\user\Desktop\fixxing.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xQGPeospVmcjdT' /XML 'C:\Users\user\AppData\Local\Temp\tmp86B5.tmp'

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
    Source: C:\Users\user\Desktop\fixxing.exeFile opened: C:\Users\user\Desktop\fixxing.exe:Zone.Identifier read attributes | delete
    Source: C:\Users\user\Desktop\fixxing.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\fixxing.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion:

    barindex
    Yara detected AntiVM3Show sources
    Source: Yara matchFile source: 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: fixxing.exe PID: 5808, type: MEMORY
    Source: Yara matchFile source: 0.2.fixxing.exe.290f5a0.1.raw.unpack, type: UNPACKEDPE
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
    Source: C:\Users\user\Desktop\fixxing.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: C:\Users\user\Desktop\fixxing.exeCode function: 0_2_005136B3 sldt word ptr [eax]
    Source: C:\Users\user\Desktop\fixxing.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\fixxing.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\fixxing.exeWindow / User API: threadDelayed 6193
    Source: C:\Users\user\Desktop\fixxing.exeWindow / User API: threadDelayed 2951
    Source: C:\Users\user\Desktop\fixxing.exeWindow / User API: foregroundWindowGot 616
    Source: C:\Users\user\Desktop\fixxing.exeWindow / User API: foregroundWindowGot 815
    Source: C:\Users\user\Desktop\fixxing.exe TID: 5936Thread sleep time: -104719s >= -30000s
    Source: C:\Users\user\Desktop\fixxing.exe TID: 6000Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\Desktop\fixxing.exe TID: 4084Thread sleep time: -8301034833169293s >= -30000s
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\fixxing.exeThread delayed: delay time: 104719
    Source: C:\Users\user\Desktop\fixxing.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\fixxing.exeThread delayed: delay time: 922337203685477
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: vmware
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: VMWARE
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
    Source: fixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
    Source: C:\Users\user\Desktop\fixxing.exeProcess information queried: ProcessInformation
    Source: C:\Users\user\Desktop\fixxing.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\fixxing.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\fixxing.exeMemory allocated: page read and write | page guard

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Injects a PE file into a foreign processesShow sources
    Source: C:\Users\user\Desktop\fixxing.exeMemory written: C:\Users\user\Desktop\fixxing.exe base: 400000 value starts with: 4D5A
    Source: C:\Users\user\Desktop\fixxing.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xQGPeospVmcjdT' /XML 'C:\Users\user\AppData\Local\Temp\tmp86B5.tmp'
    Source: C:\Users\user\Desktop\fixxing.exeProcess created: C:\Users\user\Desktop\fixxing.exe C:\Users\user\Desktop\fixxing.exe
    Source: fixxing.exe, 00000005.00000002.484267646.0000000002B47000.00000004.00000001.sdmpBinary or memory string: Program Manager
    Source: fixxing.exe, 00000005.00000002.481635543.0000000001200000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: fixxing.exe, 00000005.00000002.481635543.0000000001200000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: fixxing.exe, 00000005.00000002.489255636.0000000005BBC000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
    Source: fixxing.exe, 00000005.00000002.484267646.0000000002B47000.00000004.00000001.sdmpBinary or memory string: Program Manager|$
    Source: fixxing.exe, 00000005.00000002.481635543.0000000001200000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: fixxing.exe, 00000005.00000002.485646851.0000000002D36000.00000004.00000001.sdmpBinary or memory string: Program ManagerF8
    Source: fixxing.exe, 00000005.00000002.481888361.00000000027BD000.00000004.00000001.sdmpBinary or memory string: Program ManagerD$&l
    Source: fixxing.exe, 00000005.00000002.484267646.0000000002B47000.00000004.00000001.sdmpBinary or memory string: Program Manager@
    Source: fixxing.exe, 00000005.00000002.489636922.00000000061EB000.00000004.00000001.sdmpBinary or memory string: Program Manager|
    Source: C:\Users\user\Desktop\fixxing.exeQueries volume information: C:\Users\user\Desktop\fixxing.exe VolumeInformation
    Source: C:\Users\user\Desktop\fixxing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\Desktop\fixxing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\Desktop\fixxing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\Desktop\fixxing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\fixxing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
    Source: C:\Users\user\Desktop\fixxing.exeQueries volume information: C:\Users\user\Desktop\fixxing.exe VolumeInformation
    Source: C:\Users\user\Desktop\fixxing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\Desktop\fixxing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\Desktop\fixxing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\Desktop\fixxing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\fixxing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
    Source: C:\Users\user\Desktop\fixxing.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\fixxing.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

    Stealing of Sensitive Information:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000005.00000002.486030987.00000000037A9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.489178214.0000000005A50000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.479168192.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.487530331.0000000004352000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.481816000.0000000002751000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.225554713.00000000038E9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: fixxing.exe PID: 4700, type: MEMORY
    Source: Yara matchFile source: 5.2.fixxing.exe.5a50000.20.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.fixxing.exe.39f4dc8.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.37b8a20.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.5a54629.21.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.4352a0a.14.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.37b8a20.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.4357840.16.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.5a50000.20.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.fixxing.exe.39f4dc8.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.435be69.15.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.4357840.16.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.37bd049.6.raw.unpack, type: UNPACKEDPE

    Remote Access Functionality:

    barindex
    Detected Nanocore RatShow sources
    Source: fixxing.exeString found in binary or memory: NanoCore.ClientPluginHost
    Source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: fixxing.exe, 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: fixxing.exe, 00000005.00000002.487530331.0000000004352000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000005.00000002.486030987.00000000037A9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.489178214.0000000005A50000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.479168192.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.487530331.0000000004352000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.481816000.0000000002751000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.225554713.00000000038E9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: fixxing.exe PID: 4700, type: MEMORY
    Source: Yara matchFile source: 5.2.fixxing.exe.5a50000.20.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.fixxing.exe.39f4dc8.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.37b8a20.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.5a54629.21.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.4352a0a.14.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.37b8a20.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.4357840.16.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.5a50000.20.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.fixxing.exe.39f4dc8.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.435be69.15.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.4357840.16.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.fixxing.exe.37bd049.6.raw.unpack, type: UNPACKEDPE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection112Masquerading1Input Capture11Query Registry1Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemorySecurity Software Discovery221Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion41Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion41Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    fixxing.exe32%VirustotalBrowse
    fixxing.exe18%MetadefenderBrowse
    fixxing.exe60%ReversingLabsByteCode-MSIL.Trojan.Agentesla
    fixxing.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Roaming\xQGPeospVmcjdT.exe100%Joe Sandbox ML
    C:\Users\user\AppData\Roaming\xQGPeospVmcjdT.exe18%MetadefenderBrowse
    C:\Users\user\AppData\Roaming\xQGPeospVmcjdT.exe60%ReversingLabsByteCode-MSIL.Trojan.Agentesla

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    5.2.fixxing.exe.37b8a20.7.unpack100%AviraTR/NanoCore.fadteDownload File
    5.2.fixxing.exe.5a50000.20.unpack100%AviraTR/NanoCore.fadteDownload File
    5.2.fixxing.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    45.137.22.501%VirustotalBrowse
    45.137.22.500%Avira URL Cloudsafe
    https://www.rtctel.com/0%VirustotalBrowse
    https://www.rtctel.com/0%Avira URL Cloudsafe
    127.0.0.10%VirustotalBrowse
    127.0.0.10%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    45.137.22.50true
    • 1%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    127.0.0.1true
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://support.bandwidth.com/hc/en-us/restricted?return_to=https%3A%2F%2Fsupport.bandwidth.com%2Fhcfixxing.exefalse
      		high
      https://support.neonova.net/login.phpfixxing.exefalse
        		high
        https://admin.neonova.net/index.phpfixxing.exefalse
          		high
          https://www.rtctel.com/fixxing.exefalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          https://admin.neonova.net/index.phpKhttps://support.neonova.net/login.phpmhttps://calix.force.com/idfixxing.exefalse
            		high
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpfalse
              		high
              https://calix.force.com/idp/login?app=0sp70000000001i#fixxing.exefalse
                		high
                https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssfixxing.exe, 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmpfalse
                  		high

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  45.137.22.50
                  		unknownNetherlands
                  		51447ROOTLAYERNETNLtrue

                  General Information

                  Joe Sandbox Version:32.0.0 Black Diamond
                  Analysis ID:403128
                  Start date:03.05.2021
                  Start time:19:47:16
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 9m 36s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:fixxing.exe
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:27
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@6/8@0/1
                  EGA Information:Failed
                  HDC Information:Failed
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .exe
                  Warnings:
                  Show All
                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                  • TCP Packets have been reduced to 100
                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  19:48:08API Interceptor1025x Sleep call for process: fixxing.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  45.137.22.50note-mxm.exeGet hashmaliciousBrowse
                    purchase order confirmation.exeGet hashmaliciousBrowse
                      purchase order acknowledgement.exeGet hashmaliciousBrowse
                        TBBurmah Trading Co., Ltd - products inquiry .exeGet hashmaliciousBrowse
                          PURCHASE ORDER - #0022223 DATED 29042021.exeGet hashmaliciousBrowse
                            PURCHASE ORDER - #0022223, date29042021.exeGet hashmaliciousBrowse
                              B_N SAO SWIFT MT103.exeGet hashmaliciousBrowse
                                PURCHASE ORDER - #0022223 DATED 28042021.exeGet hashmaliciousBrowse
                                  Al kabous group Ltd - purchase order #04272021.exeGet hashmaliciousBrowse
                                    Mack Trading Limited - products list.exeGet hashmaliciousBrowse
                                      Kim Quy Trading - PRODUCTS LISTS.exeGet hashmaliciousBrowse

                                        Domains

                                        No context

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        ROOTLAYERNETNLnote-mxm.exeGet hashmaliciousBrowse
                                        • 45.137.22.50
                                        purchase order confirmation.exeGet hashmaliciousBrowse
                                        • 45.137.22.50
                                        purchase order acknowledgement.exeGet hashmaliciousBrowse
                                        • 45.137.22.50
                                        TBBurmah Trading Co., Ltd - products inquiry .exeGet hashmaliciousBrowse
                                        • 45.137.22.50
                                        FRIEGHT PAYMENT 41,634.20 USD..exeGet hashmaliciousBrowse
                                        • 45.137.22.107
                                        Due Invoices.exeGet hashmaliciousBrowse
                                        • 45.137.22.107
                                        PURCHASE ORDER - #0022223 DATED 29042021.exeGet hashmaliciousBrowse
                                        • 45.137.22.50
                                        PURCHASE ORDER - #0022223, date29042021.exeGet hashmaliciousBrowse
                                        • 45.137.22.50
                                        B_N SAO SWIFT MT103.exeGet hashmaliciousBrowse
                                        • 45.137.22.50
                                        PO0900009.exeGet hashmaliciousBrowse
                                        • 185.222.58.152
                                        PURCHASE ORDER - #0022223 DATED 28042021.exeGet hashmaliciousBrowse
                                        • 45.137.22.50
                                        Order ConfirmationSANQAW12NC9W03.exeGet hashmaliciousBrowse
                                        • 185.222.57.152
                                        PO MT2249C.exeGet hashmaliciousBrowse
                                        • 185.222.57.152
                                        Al kabous LtdPurchase order NO#00421876.exeGet hashmaliciousBrowse
                                        • 185.222.57.152
                                        Al kabous group Ltd - purchase order #04272021.exeGet hashmaliciousBrowse
                                        • 45.137.22.50
                                        0900000000000000000900.exeGet hashmaliciousBrowse
                                        • 185.222.58.152
                                        P08240421_CIF-Pdf.exeGet hashmaliciousBrowse
                                        • 45.137.22.123
                                        ORD-63648.exeGet hashmaliciousBrowse
                                        • 45.137.22.123
                                        FA0900009000.exeGet hashmaliciousBrowse
                                        • 185.222.58.152
                                        Packinglist&certificate of imports.exeGet hashmaliciousBrowse
                                        • 185.222.57.152

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        C:\Users\user\AppData\Roaming\xQGPeospVmcjdT.exepurchase order confirmation.exeGet hashmaliciousBrowse

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fixxing.exe.log
                                          Process:C:\Users\user\Desktop\fixxing.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:modified
                                          Size (bytes):1314
                                          Entropy (8bit):5.350128552078965
                                          Encrypted:false
                                          SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                          MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                          SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                          SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                          SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                          C:\Users\user\AppData\Local\Temp\tmp86B5.tmp
                                          Process:C:\Users\user\Desktop\fixxing.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1647
                                          Entropy (8bit):5.1976832556708175
                                          Encrypted:false
                                          SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBVqBtn:cbh47TlNQ//rydbz9I3YODOLNdq3j+
                                          MD5:711F9E16C0FBC75B09CFA0CDFD720915
                                          SHA1:F21F57A9E5ED5894D4743A3F3DE0CE3D3B9FBE3B
                                          SHA-256:1E6B7105305FAE8EC803C5669EFCE337B1207AC0B38B19AA2C3513C0D1C88D54
                                          SHA-512:59FCFAB5AB3913FBD90F5AF156C496130DB4162256E150DE2AB3E2207F239B99490AAA84F759F016FCFC6184E8E3A7479EB13C8B11D5236236094D09A5680F27
                                          Malicious:true
                                          Reputation:low
                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                          Process:C:\Users\user\Desktop\fixxing.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):1856
                                          Entropy (8bit):7.024371743172393
                                          Encrypted:false
                                          SSDEEP:48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw8:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCr
                                          MD5:838CD9DBC78EA45A5406EAE23962086D
                                          SHA1:C8273AACDEE03AC0CDCDDBAA83F51D04D6A4203C
                                          SHA-256:6E11A62511C5BBC0413128305069B780C448684B54FAA3E8DD0B4FD3DB8C9867
                                          SHA-512:F7D25EF1FA6F50667DD6785CC774E0AA6BC52A2231FE96E7C59D14EFDFDDA076F6399288CF6EAC8EFA8A75727893432AA155DA0E392F8CD1F26C5C5871EAC6B5
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                          Process:C:\Users\user\Desktop\fixxing.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):8
                                          Entropy (8bit):3.0
                                          Encrypted:false
                                          SSDEEP:3:PCot:6ot
                                          MD5:FE39AF73DBC3CEDCDE515A5AC1E37181
                                          SHA1:7A09829329D36895F3DF3426447D30B832A83658
                                          SHA-256:05FBCBC3F0AE751B30F246D1336A6ADDC4DE211B480CAB5F34410B795D39C9FB
                                          SHA-512:1B5D97B15A9C4AAE09CC869E870ABE1F7ADDB9C584DFCAA8FDA3FFF67DEAA826CE877DBC53E74F449F9CB39A09D1D3A5FE30007327C33C9D64519AA2F592C130
                                          Malicious:true
                                          Reputation:low
                                          Preview: .vM....H
                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                          Process:C:\Users\user\Desktop\fixxing.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):40
                                          Entropy (8bit):5.153055907333276
                                          Encrypted:false
                                          SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                          MD5:4E5E92E2369688041CC82EF9650EDED2
                                          SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                          SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                          SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                          Process:C:\Users\user\Desktop\fixxing.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):327432
                                          Entropy (8bit):7.99938831605763
                                          Encrypted:true
                                          SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                          MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                          SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                          SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                          SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                          Malicious:false
                                          Reputation:moderate, very likely benign file
                                          Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                          C:\Users\user\AppData\Roaming\xQGPeospVmcjdT.exe
                                          Process:C:\Users\user\Desktop\fixxing.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):730112
                                          Entropy (8bit):7.682661934320617
                                          Encrypted:false
                                          SSDEEP:12288:ctl3e+PHoCAQ1q5y/e2h3QFRiFD94KnBedBJmrRiD8pBf5rcrM:ctl3e+foC/q4oDiFJRBedOrQYpR5rm
                                          MD5:0D50C8E7C3F044099056BFB318F108C6
                                          SHA1:538871E91C9CAC38AF31BD09FE456843D841F586
                                          SHA-256:91F6FC2AE99E090DAD56E53C7BF258DD4F43DF79AC02A11F2620C31F045FC87F
                                          SHA-512:5364611735FE235A94A0339EAE7511472EEAB0B892E9E1A17DA46F23802F82C4C2B225BED37953226A1B8B84D6711F16EEE15F28254D5A4D68BC26E378B7C7AD
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: Metadefender, Detection: 18%, Browse
                                          • Antivirus: ReversingLabs, Detection: 60%
                                          Joe Sandbox View:
                                          • Filename: purchase order confirmation.exe, Detection: malicious, Browse
                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.............b-... ...@....@.. ....................................@..................................-..O....@..8....................`....................................................... ............... ..H............text...h.... ...................... ..`.rsrc...8....@......................@..@.reloc.......`......."..............@..B................D-......H........-...............:..p............................................0............(....(..........(.....o.....*.....................( ......(!......("......(#......($....*N..(....o....(%....*&..(&....*.s'........s(........s)........s*........s+........*....0...........~....o,....+..*.0...........~....o-....+..*.0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*.0..<........~.....(1.....,!r...p.....(2...o3...s4............~.....+..*.0......
                                          C:\Users\user\AppData\Roaming\xQGPeospVmcjdT.exe:Zone.Identifier
                                          Process:C:\Users\user\Desktop\fixxing.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):26
                                          Entropy (8bit):3.95006375643621
                                          Encrypted:false
                                          SSDEEP:3:ggPYV:rPYV
                                          MD5:187F488E27DB4AF347237FE461A079AD
                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                          Malicious:true
                                          Preview: [ZoneTransfer]....ZoneId=0

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.682661934320617
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:fixxing.exe
                                          File size:730112
                                          MD5:0d50c8e7c3f044099056bfb318f108c6
                                          SHA1:538871e91c9cac38af31bd09fe456843d841f586
                                          SHA256:91f6fc2ae99e090dad56e53c7bf258dd4f43df79ac02a11f2620c31f045fc87f
                                          SHA512:5364611735fe235a94a0339eae7511472eeab0b892e9e1a17da46f23802f82c4c2b225bed37953226a1b8b84d6711f16eee15f28254d5a4d68bc26e378b7c7ad
                                          SSDEEP:12288:ctl3e+PHoCAQ1q5y/e2h3QFRiFD94KnBedBJmrRiD8pBf5rcrM:ctl3e+foC/q4oDiFJRBedOrQYpR5rm
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.............b-... ...@....@.. ....................................@................................

                                          File Icon

                                          Icon Hash:849494a4a4a4e464

                                          Static PE Info

                                          General

                                          Entrypoint:0x4a2d62
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0x608D050B [Sat May 1 07:36:43 2021 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v4.0.30319
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xa2d100x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xa40000x11138.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xb60000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xa0d680xa0e00False0.853620337995data7.76210474352IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rsrc0xa40000x111380x11200False0.11155622719data5.26971437241IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xb60000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_ICON0xa41300x10828data
                                          RT_GROUP_ICON0xb49580x14data
                                          RT_VERSION0xb496c0x30cdata
                                          RT_MANIFEST0xb4c780x4bdXML 1.0 document, UTF-8 Unicode (with BOM) text

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Version Infos

                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyright
                                          Assembly Version1.0.0.0
                                          InternalNameDebugger.exe
                                          FileVersion1.0.0.0
                                          CompanyName
                                          LegalTrademarks
                                          Comments
                                          ProductNameRogueButtons
                                          ProductVersion1.0.0.0
                                          FileDescriptionRogueButtons
                                          OriginalFilenameDebugger.exe

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          05/03/21-19:48:16.892186TCP2025019ET TROJAN Possible NanoCore C2 60B497244557192.168.2.345.137.22.50
                                          05/03/21-19:48:23.328869TCP2025019ET TROJAN Possible NanoCore C2 60B497274557192.168.2.345.137.22.50
                                          05/03/21-19:48:28.259692TCP2025019ET TROJAN Possible NanoCore C2 60B497284557192.168.2.345.137.22.50
                                          05/03/21-19:48:34.313765TCP2025019ET TROJAN Possible NanoCore C2 60B497324557192.168.2.345.137.22.50
                                          05/03/21-19:48:40.300527TCP2025019ET TROJAN Possible NanoCore C2 60B497354557192.168.2.345.137.22.50
                                          05/03/21-19:48:46.350416TCP2025019ET TROJAN Possible NanoCore C2 60B497364557192.168.2.345.137.22.50
                                          05/03/21-19:48:52.395241TCP2025019ET TROJAN Possible NanoCore C2 60B497374557192.168.2.345.137.22.50
                                          05/03/21-19:48:58.513579TCP2025019ET TROJAN Possible NanoCore C2 60B497414557192.168.2.345.137.22.50
                                          05/03/21-19:49:05.642550TCP2025019ET TROJAN Possible NanoCore C2 60B497424557192.168.2.345.137.22.50
                                          05/03/21-19:49:11.743009TCP2025019ET TROJAN Possible NanoCore C2 60B497484557192.168.2.345.137.22.50
                                          05/03/21-19:49:17.725023TCP2025019ET TROJAN Possible NanoCore C2 60B497504557192.168.2.345.137.22.50
                                          05/03/21-19:49:23.741350TCP2025019ET TROJAN Possible NanoCore C2 60B497514557192.168.2.345.137.22.50
                                          05/03/21-19:49:29.790151TCP2025019ET TROJAN Possible NanoCore C2 60B497524557192.168.2.345.137.22.50
                                          05/03/21-19:49:35.792248TCP2025019ET TROJAN Possible NanoCore C2 60B497534557192.168.2.345.137.22.50
                                          05/03/21-19:49:41.791022TCP2025019ET TROJAN Possible NanoCore C2 60B497564557192.168.2.345.137.22.50
                                          05/03/21-19:49:47.805502TCP2025019ET TROJAN Possible NanoCore C2 60B497574557192.168.2.345.137.22.50
                                          05/03/21-19:49:53.947358TCP2025019ET TROJAN Possible NanoCore C2 60B497584557192.168.2.345.137.22.50
                                          05/03/21-19:49:59.949354TCP2025019ET TROJAN Possible NanoCore C2 60B497594557192.168.2.345.137.22.50
                                          05/03/21-19:50:06.047937TCP2025019ET TROJAN Possible NanoCore C2 60B497614557192.168.2.345.137.22.50
                                          05/03/21-19:50:12.307942TCP2025019ET TROJAN Possible NanoCore C2 60B497624557192.168.2.345.137.22.50

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          May 3, 2021 19:48:16.770478010 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:16.817135096 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:16.817271948 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:16.892185926 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:16.961973906 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:16.981944084 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.029064894 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.056797028 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.125231028 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.125410080 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.158269882 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.158327103 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.158365965 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.158413887 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.158423901 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.158452034 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.158452988 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.158519983 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.203636885 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.205080986 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.205136061 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.205174923 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.205235958 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.205291033 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.205348015 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.205442905 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.205492973 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.205519915 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.205658913 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.252422094 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.252463102 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.252496958 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.252538919 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.252587080 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.252592087 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.252624035 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.252628088 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.252659082 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.252687931 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.252691984 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.252717972 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.252746105 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.252747059 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.252777100 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.252808094 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.252836943 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.252852917 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.252892971 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.299448013 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.299506903 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.299546957 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.299583912 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.299655914 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.299695015 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.299710989 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.299742937 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.299782038 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.299786091 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.299789906 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.299814939 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.299853086 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.299880028 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.299890995 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.299928904 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.299963951 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.299966097 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300004005 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300050974 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300055027 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.300092936 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300118923 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.300131083 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300168991 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300206900 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300242901 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300266981 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.300281048 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.300282001 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300321102 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300368071 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300393105 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.300410032 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300447941 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300451040 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.300477982 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.300538063 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.347068071 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347121954 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347157001 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347188950 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347222090 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347244024 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.347254038 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347285032 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.347295046 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347327948 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347347975 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.347352028 CEST45574972445.137.22.50192.168.2.3
                                          May 3, 2021 19:48:17.347384930 CEST497244557192.168.2.345.137.22.50
                                          May 3, 2021 19:48:17.347392082 CEST45574972445.137.22.50192.168.2.3

                                          Code Manipulations

                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          Analysis Process: fixxing.exe PID: 5808 Parent PID: 5564

                                          General

                                          Start time:19:48:07
                                          Start date:03/05/2021
                                          Path:C:\Users\user\Desktop\fixxing.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\fixxing.exe'
                                          Imagebase:0x510000
                                          File size:730112 bytes
                                          MD5 hash:0D50C8E7C3F044099056BFB318F108C6
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.224977939.00000000028E1000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.225554713.00000000038E9000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.225554713.00000000038E9000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.225554713.00000000038E9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          Reputation:low

                                          Analysis Process: schtasks.exe PID: 4736 Parent PID: 5808

                                          General

                                          Start time:19:48:11
                                          Start date:03/05/2021
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xQGPeospVmcjdT' /XML 'C:\Users\user\AppData\Local\Temp\tmp86B5.tmp'
                                          Imagebase:0x1000000
                                          File size:185856 bytes
                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Analysis Process: conhost.exe PID: 3412 Parent PID: 4736

                                          General

                                          Start time:19:48:11
                                          Start date:03/05/2021
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6b2800000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Analysis Process: fixxing.exe PID: 4700 Parent PID: 5808

                                          General

                                          Start time:19:48:12
                                          Start date:03/05/2021
                                          Path:C:\Users\user\Desktop\fixxing.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\Desktop\fixxing.exe
                                          Imagebase:0x450000
                                          File size:730112 bytes
                                          MD5 hash:0D50C8E7C3F044099056BFB318F108C6
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.489550549.0000000005F50000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.489550549.0000000005F50000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.488981996.0000000005310000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.488981996.0000000005310000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.486030987.00000000037A9000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.489178214.0000000005A50000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.489178214.0000000005A50000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.489178214.0000000005A50000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000005.00000003.250512467.0000000004373000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.479168192.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.479168192.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.479168192.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.487530331.0000000004352000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.487530331.0000000004352000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.481816000.0000000002751000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.487434335.0000000004267000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.489813017.0000000006430000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.489813017.0000000006430000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.481888361.00000000027BD000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          Reputation:low

                                          Disassembly

                                          Code Analysis

                                          Reset < >