Windows Analysis Report XnQ8NBKkhW.exe

Overview

General Information

Sample Name: XnQ8NBKkhW.exe
Analysis ID: 502390
MD5: c2f9ae069b620080b761d9280473e7aa
SHA1: 3df08169a1cb6ec49b4359e5b580c56da2740945
SHA256: 1ff5df8d27ee5989ad0e7c7270bf3c6d711a4ea6141043dedf2ce7028ae1bf42
Tags: exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Sigma detected: NanoCore
Detected Nanocore Rat
Yara detected AntiVM autoit script
Yara detected Nanocore RAT
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Drops PE files with a suspicious file extension
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sleep loop found (likely to delay execution)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to simulate keystroke presses
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Contains functionality to execute programs as a different user
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Installs a raw input device (often for capturing keystrokes)
File is packed with WinRar
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges
Potential key logger detected (key state polling based)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to simulate mouse events
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

AV Detection:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 21.2.RegSvcs.exe.4914d2d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.RegSvcs.exe.490b8ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.4860704.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.4209268.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.509ee78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.426ee78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.509ee78.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.RegSvcs.exe.4910704.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.6314629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.485b8ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.4860704.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.6310000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.41a3658.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.41a3658.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.4209268.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.6310000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.4209268.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.5039268.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.5039268.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.1000000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.5039268.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.4864d2d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.5039268.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.4fd3658.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.RegSvcs.exe.4910704.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.426ee78.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.5039268.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.5039268.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000003.333450416.0000000004171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.296707219.0000000004E99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.358798925.00000000048C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.333548197.00000000041A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.301043034.0000000005039000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.296677101.0000000005007000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.333693617.000000000423D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.301207556.0000000004E99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335726585.0000000004171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.300915708.0000000005007000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.296824143.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.514761470.0000000001002000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.297562836.000000000506D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.333596902.0000000004171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.300876890.000000000506D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.296554307.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.296735581.0000000004FD4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.358078886.0000000001302000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.358703813.00000000038C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335236446.00000000041D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.333520703.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.521202620.0000000006310000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.333495903.00000000041D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335366291.00000000041A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.300970543.0000000004FD4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.519934811.0000000004819000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.301072228.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335950135.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.301008313.0000000005039000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335477883.0000000004209000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335598417.0000000004209000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335160851.000000000423D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: plfiqbrm.pif PID: 1700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 3620, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: plfiqbrm.pif PID: 6416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 6684, type: MEMORYSTR
Multi AV Scanner detection for submitted file
Source: XnQ8NBKkhW.exe Virustotal: Detection: 39% Perma Link
Source: XnQ8NBKkhW.exe ReversingLabs: Detection: 46%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\68821130\plfiqbrm.pif Virustotal: Detection: 31% Perma Link
Source: C:\Users\user\68821130\plfiqbrm.pif ReversingLabs: Detection: 32%
Antivirus or Machine Learning detection for unpacked file
Source: 21.2.RegSvcs.exe.1300000.1.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 13.2.RegSvcs.exe.6310000.8.unpack Avira: Label: TR/NanoCore.fadte
Source: 13.2.RegSvcs.exe.1000000.1.unpack Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

barindex
Uses 32bit PE files
Source: XnQ8NBKkhW.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: XnQ8NBKkhW.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: XnQ8NBKkhW.exe
Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000D.00000002.514255338.0000000000C22000.00000002.00020000.sdmp, RegSvcs.exe, 00000013.00000000.324832145.00000000002E2000.00000002.00020000.sdmp, RegSvcs.exe, 00000015.00000002.357889426.0000000000F22000.00000002.00020000.sdmp, RegSvcs.exe.8.dr
Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, RegSvcs.exe, 00000015.00000002.357889426.0000000000F22000.00000002.00020000.sdmp, RegSvcs.exe.8.dr
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0137A2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_0137A2DF
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0138AFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_0138AFB9
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_01399FD3 FindFirstFileExA, 0_2_01399FD3
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C1399B GetFileAttributesW,FindFirstFileW,FindClose, 8_2_00C1399B
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C2BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 8_2_00C2BCB3
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C32408 FindFirstFileW,LdrInitializeThunk,Sleep,FindNextFileW,FindClose, 8_2_00C32408
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C58877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 8_2_00C58877
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C2280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 8_2_00C2280D
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C3CAE7 FindFirstFileW,FindNextFileW,FindClose, 8_2_00C3CAE7
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C11A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 8_2_00C11A73
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 15_2_00C1399B GetFileAttributesW,FindFirstFileW,FindClose, 15_2_00C1399B

Networking:

barindex
Uses dynamic DNS services
Source: unknown DNS query: name: ezeani.duckdns.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49764 -> 194.5.98.48:8338
Source: plfiqbrm.pif.0.dr String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: plfiqbrm.pif.0.dr String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: plfiqbrm.pif.0.dr String found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
Source: plfiqbrm.pif.0.dr String found in binary or memory: http://crl.globalsign.net/primobject.crl0N
Source: plfiqbrm.pif.0.dr String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: plfiqbrm.pif.0.dr String found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
Source: plfiqbrm.pif.0.dr String found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
Source: plfiqbrm.pif.0.dr String found in binary or memory: http://www.autoitscript.com/autoit3/0
Source: plfiqbrm.pif.0.dr String found in binary or memory: http://www.globalsign.net/repository/0
Source: plfiqbrm.pif.0.dr String found in binary or memory: http://www.globalsign.net/repository/03
Source: plfiqbrm.pif.0.dr String found in binary or memory: http://www.globalsign.net/repository09
Source: unknown DNS traffic detected: queries for: ezeani.duckdns.org
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C22285 InternetQueryDataAvailable,InternetReadFile, 8_2_00C22285

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C242E1 GetParent,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,PostMessageW,PostMessageW, 8_2_00C242E1
Contains functionality for read data from the clipboard
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C3A0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 8_2_00C3A0FC
Contains functionality to read the clipboard data
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C4D91D OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,DragQueryFileW,DragQueryFileW,LdrInitializeThunk,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 8_2_00C4D91D
Installs a raw input device (often for capturing keystrokes)
Source: RegSvcs.exe, 0000000D.00000002.519934811.0000000004819000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices
Potential key logger detected (key state polling based)
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C5C7D6 SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 8_2_00C5C7D6

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 21.2.RegSvcs.exe.4914d2d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.RegSvcs.exe.490b8ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.4860704.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.4209268.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.509ee78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.426ee78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.509ee78.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.RegSvcs.exe.4910704.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.6314629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.485b8ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.4860704.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.6310000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.41a3658.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.41a3658.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.4209268.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.6310000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.4209268.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.5039268.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.5039268.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.1000000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.5039268.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.4864d2d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.5039268.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.4fd3658.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.RegSvcs.exe.4910704.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.426ee78.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.5039268.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.5039268.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000003.333450416.0000000004171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.296707219.0000000004E99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.358798925.00000000048C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.333548197.00000000041A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.301043034.0000000005039000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.296677101.0000000005007000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.333693617.000000000423D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.301207556.0000000004E99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335726585.0000000004171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.300915708.0000000005007000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.296824143.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.514761470.0000000001002000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.297562836.000000000506D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.333596902.0000000004171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.300876890.000000000506D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.296554307.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.296735581.0000000004FD4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.358078886.0000000001302000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.358703813.00000000038C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335236446.00000000041D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.333520703.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.521202620.0000000006310000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.333495903.00000000041D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335366291.00000000041A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.300970543.0000000004FD4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.519934811.0000000004819000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.301072228.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335950135.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.301008313.0000000005039000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335477883.0000000004209000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335598417.0000000004209000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335160851.000000000423D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: plfiqbrm.pif PID: 1700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 3620, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: plfiqbrm.pif PID: 6416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 6684, type: MEMORYSTR

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 13.2.RegSvcs.exe.6110000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.RegSvcs.exe.4914d2d.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.RegSvcs.exe.490b8ce.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.RegSvcs.exe.490b8ce.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.4860704.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.3.plfiqbrm.pif.4209268.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.3.plfiqbrm.pif.4209268.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.3.plfiqbrm.pif.509ee78.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.3.plfiqbrm.pif.509ee78.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.3.plfiqbrm.pif.426ee78.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.3.plfiqbrm.pif.426ee78.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.RegSvcs.exe.3929674.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.3.plfiqbrm.pif.509ee78.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.3.plfiqbrm.pif.509ee78.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.RegSvcs.exe.4910704.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegSvcs.exe.6314629.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegSvcs.exe.485b8ce.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegSvcs.exe.485b8ce.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.4860704.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.6310000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.3.plfiqbrm.pif.41a3658.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.3.plfiqbrm.pif.41a3658.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.3.plfiqbrm.pif.41a3658.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.3.plfiqbrm.pif.41a3658.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.3.plfiqbrm.pif.4209268.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.3.plfiqbrm.pif.4209268.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.6310000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.3.plfiqbrm.pif.4209268.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.3.plfiqbrm.pif.4209268.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.3.plfiqbrm.pif.5039268.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.3.plfiqbrm.pif.5039268.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.3.plfiqbrm.pif.5039268.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.3.plfiqbrm.pif.5039268.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.1000000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.RegSvcs.exe.1000000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.3.plfiqbrm.pif.5039268.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.3.plfiqbrm.pif.5039268.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.4864d2d.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.3.plfiqbrm.pif.5039268.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.3.plfiqbrm.pif.5039268.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.3.plfiqbrm.pif.4fd3658.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.3.plfiqbrm.pif.4fd3658.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.RegSvcs.exe.4910704.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.3.plfiqbrm.pif.426ee78.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.3.plfiqbrm.pif.426ee78.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.3.plfiqbrm.pif.5039268.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.3.plfiqbrm.pif.5039268.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.3.plfiqbrm.pif.5039268.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.3.plfiqbrm.pif.5039268.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.RegSvcs.exe.383ce74.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000003.333450416.0000000004171000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000003.333450416.0000000004171000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000003.296707219.0000000004E99000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.296707219.0000000004E99000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.358798925.00000000048C9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000003.333548197.00000000041A4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000003.333548197.00000000041A4000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000003.301043034.0000000005039000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.301043034.0000000005039000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000003.296677101.0000000005007000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.296677101.0000000005007000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000003.333693617.000000000423D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000003.333693617.000000000423D000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000003.301207556.0000000004E99000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.301207556.0000000004E99000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000003.335726585.0000000004171000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000003.335726585.0000000004171000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000003.300915708.0000000005007000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.300915708.0000000005007000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.520986840.0000000006110000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.296824143.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.296824143.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.514761470.0000000001002000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.514761470.0000000001002000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000003.297562836.000000000506D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.297562836.000000000506D000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000003.333596902.0000000004171000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000003.333596902.0000000004171000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000003.300876890.000000000506D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.300876890.000000000506D000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000003.296554307.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.296554307.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000003.296735581.0000000004FD4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.296735581.0000000004FD4000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.358078886.0000000001302000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.358078886.0000000001302000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.358703813.00000000038C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000003.335236446.00000000041D7000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000003.335236446.00000000041D7000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000003.333520703.00000000040A8000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000003.333520703.00000000040A8000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.521202620.0000000006310000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000003.333495903.00000000041D7000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000003.333495903.00000000041D7000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000003.335366291.00000000041A4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000003.335366291.00000000041A4000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000003.300970543.0000000004FD4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.300970543.0000000004FD4000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.519934811.0000000004819000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000003.301072228.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.301072228.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000003.335950135.00000000040A8000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000003.335950135.00000000040A8000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000003.301008313.0000000005039000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000003.301008313.0000000005039000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000003.335477883.0000000004209000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000003.335477883.0000000004209000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000003.335598417.0000000004209000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000003.335598417.0000000004209000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000003.335160851.000000000423D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000003.335160851.000000000423D000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: plfiqbrm.pif PID: 1700, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: plfiqbrm.pif PID: 1700, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 3620, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 3620, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: plfiqbrm.pif PID: 6416, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: plfiqbrm.pif PID: 6416, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 6684, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 6684, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Detected potential crypto function
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_013783C0 0_2_013783C0
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0138626D 0_2_0138626D
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_01390113 0_2_01390113
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0139C0B0 0_2_0139C0B0
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_013730FC 0_2_013730FC
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_013833D3 0_2_013833D3
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0138F3CA 0_2_0138F3CA
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0137E510 0_2_0137E510
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0139C55E 0_2_0139C55E
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_01390548 0_2_01390548
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0137F5C5 0_2_0137F5C5
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_013A0654 0_2_013A0654
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0138364E 0_2_0138364E
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_013866A2 0_2_013866A2
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_01372692 0_2_01372692
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0137E973 0_2_0137E973
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0138397F 0_2_0138397F
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0138589E 0_2_0138589E
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0138F8C6 0_2_0138F8C6
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0137BAD1 0_2_0137BAD1
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0137DADD 0_2_0137DADD
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_01375D7E 0_2_01375D7E
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_01393CBA 0_2_01393CBA
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_01386CDB 0_2_01386CDB
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0138FCDE 0_2_0138FCDE
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0137DF12 0_2_0137DF12
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_01373EAD 0_2_01373EAD
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_01393EE9 0_2_01393EE9
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00BE35F0 8_2_00BE35F0
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00BE98F0 8_2_00BE98F0
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00BFA137 8_2_00BFA137
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00BF2136 8_2_00BF2136
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C0427D 8_2_00C0427D
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00BE98F0 8_2_00BE98F0
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C2655F 8_2_00C2655F
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00BF2508 8_2_00BF2508
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00BEF730 8_2_00BEF730
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00BF3721 8_2_00BF3721
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C0088F 8_2_00C0088F
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00BF28F0 8_2_00BF28F0
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00BFC8CE 8_2_00BFC8CE
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00BF1903 8_2_00BF1903
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C5EA2B 8_2_00C5EA2B
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C03BA1 8_2_00C03BA1
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C00DE0 8_2_00C00DE0
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00BF1D98 8_2_00BF1D98
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C22D2D 8_2_00C22D2D
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C2CE8D 8_2_00C2CE8D
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C24EB7 8_2_00C24EB7
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 13_2_01CFE480 13_2_01CFE480
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 13_2_01CFE471 13_2_01CFE471
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 13_2_01CFBBD4 13_2_01CFBBD4
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 13_2_071F0980 13_2_071F0980
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 15_2_00BE98F0 15_2_00BE98F0
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 15_2_00BE35F0 15_2_00BE35F0
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 15_2_00C0088F 15_2_00C0088F
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 15_2_00BFC8CE 15_2_00BFC8CE
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 15_2_00BFA137 15_2_00BFA137
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 15_2_00BF1903 15_2_00BF1903
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 15_2_00BEF730 15_2_00BEF730
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 15_2_00BF3721 15_2_00BF3721
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 15_2_00C01F2C 15_2_00C01F2C
Contains functionality to launch a process as a different user
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C26219 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 8_2_00C26219
PE file contains strange resources
Source: plfiqbrm.pif.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Section loaded: dxgidebug.dll Jump to behavior
Uses 32bit PE files
Source: XnQ8NBKkhW.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 13.2.RegSvcs.exe.6110000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.6110000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.RegSvcs.exe.4914d2d.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.RegSvcs.exe.4914d2d.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.RegSvcs.exe.490b8ce.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.RegSvcs.exe.490b8ce.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.RegSvcs.exe.490b8ce.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.4860704.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.4860704.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.3.plfiqbrm.pif.4209268.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.3.plfiqbrm.pif.4209268.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.3.plfiqbrm.pif.4209268.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.3.plfiqbrm.pif.509ee78.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.3.plfiqbrm.pif.509ee78.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.3.plfiqbrm.pif.509ee78.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.3.plfiqbrm.pif.426ee78.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.3.plfiqbrm.pif.426ee78.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.3.plfiqbrm.pif.426ee78.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.RegSvcs.exe.3929674.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.RegSvcs.exe.3929674.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.3.plfiqbrm.pif.509ee78.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.3.plfiqbrm.pif.509ee78.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.3.plfiqbrm.pif.509ee78.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.RegSvcs.exe.4910704.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.RegSvcs.exe.4910704.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.6314629.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.6314629.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.485b8ce.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.485b8ce.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.485b8ce.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.4860704.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.4860704.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.6310000.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.6310000.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.3.plfiqbrm.pif.41a3658.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.3.plfiqbrm.pif.41a3658.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.3.plfiqbrm.pif.41a3658.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.3.plfiqbrm.pif.41a3658.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.3.plfiqbrm.pif.41a3658.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.3.plfiqbrm.pif.41a3658.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.3.plfiqbrm.pif.4209268.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.3.plfiqbrm.pif.4209268.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.3.plfiqbrm.pif.4209268.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.6310000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.6310000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.3.plfiqbrm.pif.4209268.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.3.plfiqbrm.pif.4209268.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.3.plfiqbrm.pif.4209268.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.3.plfiqbrm.pif.5039268.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.3.plfiqbrm.pif.5039268.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.3.plfiqbrm.pif.5039268.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.3.plfiqbrm.pif.5039268.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.3.plfiqbrm.pif.5039268.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.3.plfiqbrm.pif.5039268.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.1000000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.1000000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.RegSvcs.exe.1000000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.3.plfiqbrm.pif.5039268.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.3.plfiqbrm.pif.5039268.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.3.plfiqbrm.pif.5039268.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.4864d2d.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.4864d2d.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.3.plfiqbrm.pif.5039268.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.3.plfiqbrm.pif.5039268.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.3.plfiqbrm.pif.5039268.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.3.plfiqbrm.pif.4fd3658.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.3.plfiqbrm.pif.4fd3658.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.3.plfiqbrm.pif.4fd3658.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.RegSvcs.exe.4910704.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.RegSvcs.exe.4910704.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.3.plfiqbrm.pif.426ee78.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.3.plfiqbrm.pif.426ee78.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.3.plfiqbrm.pif.426ee78.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.3.plfiqbrm.pif.5039268.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.3.plfiqbrm.pif.5039268.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.3.plfiqbrm.pif.5039268.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.3.plfiqbrm.pif.5039268.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.3.plfiqbrm.pif.5039268.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.3.plfiqbrm.pif.5039268.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 13.2.RegSvcs.exe.383ce74.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.RegSvcs.exe.383ce74.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000003.333450416.0000000004171000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000003.333450416.0000000004171000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000003.296707219.0000000004E99000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000003.296707219.0000000004E99000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.358798925.00000000048C9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000003.333548197.00000000041A4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000003.333548197.00000000041A4000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000003.301043034.0000000005039000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000003.301043034.0000000005039000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000003.296677101.0000000005007000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000003.296677101.0000000005007000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000003.333693617.000000000423D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000003.333693617.000000000423D000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000003.301207556.0000000004E99000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000003.301207556.0000000004E99000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000003.335726585.0000000004171000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000003.335726585.0000000004171000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000003.300915708.0000000005007000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000003.300915708.0000000005007000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.520986840.0000000006110000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.520986840.0000000006110000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000003.296824143.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000003.296824143.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.514761470.0000000001002000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.514761470.0000000001002000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000003.297562836.000000000506D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000003.297562836.000000000506D000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000003.333596902.0000000004171000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000003.333596902.0000000004171000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000003.300876890.000000000506D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000003.300876890.000000000506D000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000003.296554307.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000003.296554307.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000003.296735581.0000000004FD4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000003.296735581.0000000004FD4000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.358078886.0000000001302000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.358078886.0000000001302000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.358703813.00000000038C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000003.335236446.00000000041D7000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000003.335236446.00000000041D7000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000003.333520703.00000000040A8000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000003.333520703.00000000040A8000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.521202620.0000000006310000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.521202620.0000000006310000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000003.333495903.00000000041D7000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000003.333495903.00000000041D7000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000003.335366291.00000000041A4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000003.335366291.00000000041A4000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000003.300970543.0000000004FD4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000003.300970543.0000000004FD4000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.519934811.0000000004819000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000003.301072228.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000003.301072228.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000003.335950135.00000000040A8000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000003.335950135.00000000040A8000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000003.301008313.0000000005039000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000003.301008313.0000000005039000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000003.335477883.0000000004209000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000003.335477883.0000000004209000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000003.335598417.0000000004209000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000003.335598417.0000000004209000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000003.335160851.000000000423D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000003.335160851.000000000423D000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: plfiqbrm.pif PID: 1700, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: plfiqbrm.pif PID: 1700, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 3620, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 3620, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: plfiqbrm.pif PID: 6416, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: plfiqbrm.pif PID: 6416, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 6684, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 6684, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C133A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 8_2_00C133A3
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: String function: 0138D940 appears 51 times
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: String function: 0138E2F0 appears 31 times
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: String function: 0138D870 appears 35 times
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: String function: 00C259E6 appears 70 times
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: String function: 00BF14F7 appears 44 times
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: String function: 00BF6B90 appears 65 times
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: String function: 00BF8115 appears 35 times
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: String function: 00BF333F appears 36 times
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_01376FC6: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 0_2_01376FC6
Source: XnQ8NBKkhW.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe File created: C:\Users\user\68821130 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@13/38@9/2
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe File read: C:\Windows\win.ini Jump to behavior
Source: 13.2.RegSvcs.exe.1000000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.RegSvcs.exe.1000000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 21.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 21.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_01376D06 GetLastError,FormatMessageW, 0_2_01376D06
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0138963A FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 0_2_0138963A
Source: XnQ8NBKkhW.exe Virustotal: Detection: 39%
Source: XnQ8NBKkhW.exe ReversingLabs: Detection: 46%
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe File read: C:\Users\user\Desktop\XnQ8NBKkhW.exe Jump to behavior
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\XnQ8NBKkhW.exe 'C:\Users\user\Desktop\XnQ8NBKkhW.exe'
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Process created: C:\Users\user\68821130\plfiqbrm.pif 'C:\Users\user\68821130\plfiqbrm.pif' mofcxpne.aan
Source: C:\Users\user\68821130\plfiqbrm.pif Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: unknown Process created: C:\Users\user\68821130\plfiqbrm.pif 'C:\Users\user\68821130\plfiqbrm.pif' C:\Users\user\68821130\mofcxpne.aan
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD317.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\68821130\plfiqbrm.pif Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Process created: C:\Users\user\68821130\plfiqbrm.pif 'C:\Users\user\68821130\plfiqbrm.pif' mofcxpne.aan Jump to behavior
Source: C:\Users\user\68821130\plfiqbrm.pif Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD317.tmp' Jump to behavior
Source: C:\Users\user\68821130\plfiqbrm.pif Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe Jump to behavior
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C133A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 8_2_00C133A3
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C44AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 8_2_00C44AEB
Source: C:\Users\user\68821130\plfiqbrm.pif File created: C:\Users\user\temp\palnmuffs.msc Jump to behavior
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C4E0F6 CoInitialize,CoCreateInstance,CoUninitialize, 8_2_00C4E0F6
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C3D606 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode, 8_2_00C3D606
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C13EC5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,FindCloseChangeNotification, 8_2_00C13EC5
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{c213d282-998c-4a04-8f80-944681ca75f6}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6464:120:WilError_01
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Command line argument: sfxname 0_2_0138CBB8
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Command line argument: sfxstime 0_2_0138CBB8
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Command line argument: STARTDLG 0_2_0138CBB8
Source: 13.2.RegSvcs.exe.1000000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.2.RegSvcs.exe.1000000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 13.2.RegSvcs.exe.1000000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 21.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 21.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 21.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: XnQ8NBKkhW.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: XnQ8NBKkhW.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: XnQ8NBKkhW.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: XnQ8NBKkhW.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: XnQ8NBKkhW.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: XnQ8NBKkhW.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: XnQ8NBKkhW.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: XnQ8NBKkhW.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: XnQ8NBKkhW.exe
Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000D.00000002.514255338.0000000000C22000.00000002.00020000.sdmp, RegSvcs.exe, 00000013.00000000.324832145.00000000002E2000.00000002.00020000.sdmp, RegSvcs.exe, 00000015.00000002.357889426.0000000000F22000.00000002.00020000.sdmp, RegSvcs.exe.8.dr
Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, RegSvcs.exe, 00000015.00000002.357889426.0000000000F22000.00000002.00020000.sdmp, RegSvcs.exe.8.dr
Source: XnQ8NBKkhW.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: XnQ8NBKkhW.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: XnQ8NBKkhW.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: XnQ8NBKkhW.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: XnQ8NBKkhW.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 13.2.RegSvcs.exe.1000000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.RegSvcs.exe.1000000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0138E336 push ecx; ret 0_2_0138E349
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0138D870 push eax; ret 0_2_0138D88E
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C0D53C push 7400C0CFh; iretd 8_2_00C0D541
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00BF6BD5 push ecx; ret 8_2_00BF6BE8
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 13_2_071F27CE push es; ret 13_2_071F27D0
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Code function: 13_2_071F2879 push ebx; ret 13_2_071F287A
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 15_2_00BF6BD5 push ecx; ret 15_2_00BF6BE8
Contains functionality to dynamically determine API calls
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00BEEE30 LoadLibraryA,GetProcAddress, 8_2_00BEEE30
File is packed with WinRar
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe File created: C:\Users\user\68821130\__tmp_rar_sfx_access_check_4215843 Jump to behavior
Source: 13.2.RegSvcs.exe.1000000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 13.2.RegSvcs.exe.1000000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 21.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 21.2.RegSvcs.exe.1300000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Drops PE files with a suspicious file extension
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe File created: C:\Users\user\68821130\plfiqbrm.pif Jump to dropped file
Drops PE files
Source: C:\Users\user\68821130\plfiqbrm.pif File created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Jump to dropped file
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe File created: C:\Users\user\68821130\plfiqbrm.pif Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD317.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Temp\RegSvcs.exe:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C5A2EA IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 8_2_00C5A2EA
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C143FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 8_2_00C143FF
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\68821130\plfiqbrm.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\68821130\plfiqbrm.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\68821130\plfiqbrm.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\68821130\plfiqbrm.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\68821130\plfiqbrm.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\68821130\plfiqbrm.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM autoit script
Source: Yara match File source: Process Memory Space: plfiqbrm.pif PID: 1700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: plfiqbrm.pif PID: 6416, type: MEMORYSTR
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\68821130\plfiqbrm.pif TID: 3156 Thread sleep count: 4966 > 30 Jump to behavior
Source: C:\Users\user\68821130\plfiqbrm.pif TID: 3156 Thread sleep time: -49660s >= -30000s Jump to behavior
Source: C:\Users\user\68821130\plfiqbrm.pif TID: 3156 Thread sleep count: 90 > 30 Jump to behavior
Source: C:\Users\user\68821130\plfiqbrm.pif TID: 6420 Thread sleep count: 4253 > 30 Jump to behavior
Source: C:\Users\user\68821130\plfiqbrm.pif TID: 6420 Thread sleep time: -42530s >= -30000s Jump to behavior
Source: C:\Users\user\68821130\plfiqbrm.pif TID: 6420 Thread sleep count: 110 > 30 Jump to behavior
Sleep loop found (likely to delay execution)
Source: C:\Users\user\68821130\plfiqbrm.pif Thread sleep count: Count: 4966 delay: -10 Jump to behavior
Source: C:\Users\user\68821130\plfiqbrm.pif Thread sleep count: Count: 4253 delay: -10 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\68821130\plfiqbrm.pif Window / User API: threadDelayed 4966 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Window / User API: threadDelayed 3208 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Window / User API: threadDelayed 6264 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Window / User API: foregroundWindowGot 686 Jump to behavior
Source: C:\Users\user\68821130\plfiqbrm.pif Window / User API: threadDelayed 4253 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: plfiqbrm.pif, 0000000F.00000003.329043636.0000000003FF1000.00000004.00000001.sdmp Binary or memory string: If ProcessExists("VboxService.exe") Then
Source: plfiqbrm.pif, 00000008.00000002.517842406.0000000004DE0000.00000004.00000001.sdmp Binary or memory string: VMwareService.exe444D6`
Source: plfiqbrm.pif, 0000000F.00000002.518207032.0000000003FF0000.00000004.00000001.sdmp Binary or memory string: VMwareService.exe59767
Source: plfiqbrm.pif, 00000008.00000002.517842406.0000000004DE0000.00000004.00000001.sdmp Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then46v
Source: plfiqbrm.pif, 0000000F.00000003.329043636.0000000003FF1000.00000004.00000001.sdmp Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then631
Source: plfiqbrm.pif, 00000008.00000002.517842406.0000000004DE0000.00000004.00000001.sdmp Binary or memory string: If ProcessExists("VboxService.exe") Then"
Source: plfiqbrm.pif, 00000008.00000002.517842406.0000000004DE0000.00000004.00000001.sdmp Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then?
Source: plfiqbrm.pif, 00000008.00000002.517842406.0000000004DE0000.00000004.00000001.sdmp Binary or memory string: VMwaretray.exeO
Source: plfiqbrm.pif, 0000000F.00000002.518207032.0000000003FF0000.00000004.00000001.sdmp Binary or memory string: VMwareUser.exe5FB536C7
Source: mofcxpne.aan.0.dr Binary or memory string: If ProcessExists("VboxService.exe") Then
Source: mofcxpne.aan.0.dr Binary or memory string: If ProcessExists("VMwaretray.exe") Then
Source: mofcxpne.aan.0.dr Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
Source: plfiqbrm.pif, 00000008.00000002.517842406.0000000004DE0000.00000004.00000001.sdmp Binary or memory string: If ProcessExists("VMwaretray.exe") Then
Source: plfiqbrm.pif, 00000008.00000002.517842406.0000000004DE0000.00000004.00000001.sdmp, plfiqbrm.pif, 0000000F.00000002.518207032.0000000003FF0000.00000004.00000001.sdmp Binary or memory string: VBoxTray.exe
Source: plfiqbrm.pif, 00000008.00000002.517842406.0000000004DE0000.00000004.00000001.sdmp Binary or memory string: VMwareUser.exeE97637D6
Source: plfiqbrm.pif, 0000000F.00000003.329043636.0000000003FF1000.00000004.00000001.sdmp Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
Source: plfiqbrm.pif, 0000000F.00000002.518207032.0000000003FF0000.00000004.00000001.sdmp Binary or memory string: VMwaretray.exe\6
Source: RegSvcs.exe, 0000000D.00000002.516668374.0000000001B04000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
Source: plfiqbrm.pif, 0000000F.00000003.329043636.0000000003FF1000.00000004.00000001.sdmp Binary or memory string: If ProcessExists("VMwaretray.exe") Thenl
Source: mofcxpne.aan.0.dr Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
Source: plfiqbrm.pif, 0000000F.00000002.518207032.0000000003FF0000.00000004.00000001.sdmp Binary or memory string: VboxService.exe
Source: plfiqbrm.pif, 00000008.00000002.517842406.0000000004DE0000.00000004.00000001.sdmp, plfiqbrm.pif, 0000000F.00000003.329043636.0000000003FF1000.00000004.00000001.sdmp Binary or memory string: If ProcessExists("VBoxTray.exe") Then
Source: mofcxpne.aan.0.dr Binary or memory string: If ProcessExists("VBoxTray.exe") Then
Source: C:\Users\user\68821130\plfiqbrm.pif Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0138D353 VirtualQuery,GetSystemInfo, 0_2_0138D353
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0137A2DF FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_0137A2DF
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0138AFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_0138AFB9
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_01399FD3 FindFirstFileExA, 0_2_01399FD3
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C1399B GetFileAttributesW,FindFirstFileW,FindClose, 8_2_00C1399B
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C2BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 8_2_00C2BCB3
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C32408 FindFirstFileW,LdrInitializeThunk,Sleep,FindNextFileW,FindClose, 8_2_00C32408
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C58877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 8_2_00C58877
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C2280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 8_2_00C2280D
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C3CAE7 FindFirstFileW,FindNextFileW,FindClose, 8_2_00C3CAE7
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C11A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 8_2_00C11A73
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 15_2_00C1399B GetFileAttributesW,FindFirstFileW,FindClose, 15_2_00C1399B

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00BEEE30 LoadLibraryA,GetProcAddress, 8_2_00BEEE30
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_01396AF3 mov eax, dword ptr fs:[00000030h] 0_2_01396AF3
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0138E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0138E4F5
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0139ACA1 GetProcessHeap, 0_2_0139ACA1
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00BF6374 GetStartupInfoW,__heap_init,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,GetCommandLineW,__wsetargv,__amsg_exit,__wsetenvp,__amsg_exit,__cinit,__amsg_exit,__wwincmdln,LdrInitializeThunk, 8_2_00BF6374
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C3A35D BlockInput, 8_2_00C3A35D
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0138E643 SetUnhandledExceptionFilter, 0_2_0138E643
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0138E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0138E4F5
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0138E7FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0138E7FB
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_01397BE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_01397BE1
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00BFF170 SetUnhandledExceptionFilter, 8_2_00BFF170
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00BFA128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00BFA128
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00BF7CCD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00BF7CCD
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 15_2_00BFA128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 15_2_00BFA128
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 15_2_00BF7CCD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_00BF7CCD

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\68821130\plfiqbrm.pif Memory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1000000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\68821130\plfiqbrm.pif Memory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1300000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\68821130\plfiqbrm.pif Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1000000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\68821130\plfiqbrm.pif Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1300000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\68821130\plfiqbrm.pif Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1000000 Jump to behavior
Source: C:\Users\user\68821130\plfiqbrm.pif Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: E81000 Jump to behavior
Source: C:\Users\user\68821130\plfiqbrm.pif Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1300000 Jump to behavior
Source: C:\Users\user\68821130\plfiqbrm.pif Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1188000 Jump to behavior
Contains functionality to simulate keystroke presses
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C143FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 8_2_00C143FF
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Process created: C:\Users\user\68821130\plfiqbrm.pif 'C:\Users\user\68821130\plfiqbrm.pif' mofcxpne.aan Jump to behavior
Source: C:\Users\user\68821130\plfiqbrm.pif Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD317.tmp' Jump to behavior
Source: C:\Users\user\68821130\plfiqbrm.pif Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C16C61 LogonUserW, 8_2_00C16C61
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00BED7A0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 8_2_00BED7A0
Contains functionality to simulate mouse events
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C13321 __wcsicoll,mouse_event,__wcsicoll,mouse_event, 8_2_00C13321
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C2602A GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 8_2_00C2602A
Source: RegSvcs.exe, 0000000D.00000002.519819901.0000000003CB2000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: plfiqbrm.pif.0.dr Binary or memory string: IDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
Source: plfiqbrm.pif, RegSvcs.exe, 0000000D.00000002.518130610.00000000021A0000.00000002.00020000.sdmp, plfiqbrm.pif, 0000000F.00000002.518070527.00000000020A0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: plfiqbrm.pif, 00000008.00000002.516637853.0000000002CE0000.00000002.00020000.sdmp, RegSvcs.exe, 0000000D.00000002.518130610.00000000021A0000.00000002.00020000.sdmp, plfiqbrm.pif, 0000000F.00000002.518070527.00000000020A0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: plfiqbrm.pif, 00000008.00000002.516637853.0000000002CE0000.00000002.00020000.sdmp, RegSvcs.exe, 0000000D.00000002.518130610.00000000021A0000.00000002.00020000.sdmp, plfiqbrm.pif, 0000000F.00000002.518070527.00000000020A0000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: plfiqbrm.pif, 00000008.00000002.517842406.0000000004DE0000.00000004.00000001.sdmp, plfiqbrm.pif, 0000000F.00000003.329043636.0000000003FF1000.00000004.00000001.sdmp Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: RegSvcs.exe, 0000000D.00000002.518911849.0000000003936000.00000004.00000001.sdmp Binary or memory string: Program ManagerHa+n
Source: plfiqbrm.pif, 0000000F.00000002.518207032.0000000003FF0000.00000004.00000001.sdmp Binary or memory string: Program Manager*7
Source: RegSvcs.exe, 0000000D.00000002.521708279.000000000733C000.00000004.00000010.sdmp Binary or memory string: Program ManagerL
Source: mofcxpne.aan.0.dr Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: plfiqbrm.pif, 00000008.00000002.516637853.0000000002CE0000.00000002.00020000.sdmp, RegSvcs.exe, 0000000D.00000002.518130610.00000000021A0000.00000002.00020000.sdmp, plfiqbrm.pif, 0000000F.00000002.518070527.00000000020A0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: plfiqbrm.pif, 00000008.00000002.516637853.0000000002CE0000.00000002.00020000.sdmp, RegSvcs.exe, 0000000D.00000002.518130610.00000000021A0000.00000002.00020000.sdmp, plfiqbrm.pif, 0000000F.00000002.518070527.00000000020A0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: plfiqbrm.pif, 00000008.00000002.517842406.0000000004DE0000.00000004.00000001.sdmp Binary or memory string: Program ManagerT
Source: plfiqbrm.pif, 00000008.00000002.515016602.0000000000C62000.00000002.00020000.sdmp, plfiqbrm.pif, 0000000F.00000002.517254514.0000000000C62000.00000002.00020000.sdmp Binary or memory string: ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
Source: RegSvcs.exe, 0000000D.00000002.521594642.000000000716D000.00000004.00000010.sdmp Binary or memory string: Program ManagerL(

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: GetLocaleInfoW,GetNumberFormatW, 0_2_01389D99
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0138E34B cpuid 0_2_0138E34B
Source: C:\Users\user\68821130\plfiqbrm.pif Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0138CBB8 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle, 0_2_0138CBB8
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00BFE284 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 8_2_00BFE284
Source: C:\Users\user\Desktop\XnQ8NBKkhW.exe Code function: 0_2_0137A995 GetVersionExW, 0_2_0137A995

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 21.2.RegSvcs.exe.4914d2d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.RegSvcs.exe.490b8ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.4860704.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.4209268.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.509ee78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.426ee78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.509ee78.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.RegSvcs.exe.4910704.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.6314629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.485b8ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.4860704.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.6310000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.41a3658.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.41a3658.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.4209268.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.6310000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.4209268.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.5039268.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.5039268.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.1000000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.5039268.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.4864d2d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.5039268.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.4fd3658.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.RegSvcs.exe.4910704.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.426ee78.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.5039268.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.5039268.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000003.333450416.0000000004171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.296707219.0000000004E99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.358798925.00000000048C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.333548197.00000000041A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.301043034.0000000005039000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.296677101.0000000005007000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.333693617.000000000423D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.301207556.0000000004E99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335726585.0000000004171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.300915708.0000000005007000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.296824143.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.514761470.0000000001002000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.297562836.000000000506D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.333596902.0000000004171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.300876890.000000000506D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.296554307.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.296735581.0000000004FD4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.358078886.0000000001302000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.358703813.00000000038C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335236446.00000000041D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.333520703.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.521202620.0000000006310000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.333495903.00000000041D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335366291.00000000041A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.300970543.0000000004FD4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.519934811.0000000004819000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.301072228.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335950135.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.301008313.0000000005039000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335477883.0000000004209000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335598417.0000000004209000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335160851.000000000423D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: plfiqbrm.pif PID: 1700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 3620, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: plfiqbrm.pif PID: 6416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 6684, type: MEMORYSTR

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: plfiqbrm.pif, 00000008.00000003.296707219.0000000004E99000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.514761470.0000000001002000.00000040.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 0000000D.00000002.518429409.0000000003811000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: plfiqbrm.pif, 0000000F.00000003.333450416.0000000004171000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000015.00000002.358798925.00000000048C9000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000015.00000002.358798925.00000000048C9000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 21.2.RegSvcs.exe.4914d2d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.RegSvcs.exe.490b8ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.4860704.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.4209268.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.509ee78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.426ee78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.509ee78.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.RegSvcs.exe.4910704.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.6314629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.485b8ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.4860704.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.RegSvcs.exe.1300000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.6310000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.41a3658.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.41a3658.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.4209268.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.6310000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.4209268.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.5039268.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.5039268.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.1000000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.5039268.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.RegSvcs.exe.4864d2d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.5039268.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.4fd3658.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.RegSvcs.exe.4910704.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.3.plfiqbrm.pif.426ee78.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.5039268.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.plfiqbrm.pif.5039268.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000003.333450416.0000000004171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.296707219.0000000004E99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.358798925.00000000048C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.333548197.00000000041A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.301043034.0000000005039000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.296677101.0000000005007000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.333693617.000000000423D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.301207556.0000000004E99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335726585.0000000004171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.300915708.0000000005007000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.296824143.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.514761470.0000000001002000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.297562836.000000000506D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.333596902.0000000004171000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.300876890.000000000506D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.296554307.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.296735581.0000000004FD4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.358078886.0000000001302000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.358703813.00000000038C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335236446.00000000041D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.333520703.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.521202620.0000000006310000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.333495903.00000000041D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335366291.00000000041A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.300970543.0000000004FD4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.519934811.0000000004819000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.301072228.0000000004FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335950135.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.301008313.0000000005039000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335477883.0000000004209000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335598417.0000000004209000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.335160851.000000000423D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: plfiqbrm.pif PID: 1700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 3620, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: plfiqbrm.pif PID: 6416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 6684, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C4C06C OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 8_2_00C4C06C
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C565D3 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 8_2_00C565D3
Source: C:\Users\user\68821130\plfiqbrm.pif Code function: 8_2_00C44EFB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 8_2_00C44EFB
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 502390 Sample: XnQ8NBKkhW.exe Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Sigma detected: NanoCore 2->50 52 6 other signatures 2->52 9 XnQ8NBKkhW.exe 36 2->9         started        13 plfiqbrm.pif 2->13         started        15 RegSvcs.exe 2 2->15         started        process3 file4 36 C:\Users\user\68821130\plfiqbrm.pif, PE32 9->36 dropped 62 Drops PE files with a suspicious file extension 9->62 17 plfiqbrm.pif 1 3 9->17         started        64 Writes to foreign memory regions 13->64 66 Allocates memory in foreign processes 13->66 68 Injects a PE file into a foreign processes 13->68 21 RegSvcs.exe 2 13->21         started        23 conhost.exe 15->23         started        signatures5 process6 file7 34 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 17->34 dropped 54 Multi AV Scanner detection for dropped file 17->54 56 Writes to foreign memory regions 17->56 58 Allocates memory in foreign processes 17->58 60 Injects a PE file into a foreign processes 17->60 25 RegSvcs.exe 8 17->25         started        signatures8 process9 dnsIp10 42 ezeani.duckdns.org 194.5.98.48, 49764, 49767, 49768 DANILENKODE Netherlands 25->42 44 192.168.2.1 unknown unknown 25->44 38 C:\Users\user\AppData\Roaming\...\run.dat, data 25->38 dropped 40 C:\Users\user\AppData\Local\...\tmpD317.tmp, XML 25->40 dropped 70 Uses schtasks.exe or at.exe to add and modify task schedules 25->70 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->72 30 schtasks.exe 1 25->30         started        file11 signatures12 process13 process14 32 conhost.exe 30->32         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.5.98.48
 ezeani.duckdns.org Netherlands
208476 DANILENKODE false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
ezeani.duckdns.org 194.5.98.48 true