Windows Analysis Report
fLNzmBM9hR.exe

Overview

General Information

Sample name:	fLNzmBM9hR.exe renamed because original name is a hash value
Original sample name:	14239732dbddfe922c297fdeac56a062.exe
Analysis ID:	1446518
MD5:	14239732dbddfe922c297fdeac56a062
SHA1:	3f4f6454c4a2c1c5d1e10d5f841ce14eef00a785
SHA256:	1805439355f48464312b4f9c0e16301c5f211c204e197c2000e7342c8db95c00
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nanocore RAT, NanoCore	Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.	APT33 The Gorgon Group	https://assets.virustotal.com/reports/2021trends.pdf https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack	https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: fLNzmBM9hR.exe

Avira: detected

Antivirus detection for URL or domain

Source: maxlogs.webhop.me

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe

Avira: detection malicious, Label: TR/AD.Nanocore.ihehd

Found malware configuration

Source: 0000000B.00000002.1736727761.0000000003F09000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "1fa46b72-10f9-4da3-bc15-84dde165", "Group": "NewBin", "Domain1": "newsddawork.3utilities.com", "Domain2": "maxlogs.webhop.me", "Port": 1620, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for domain / URL

Source: maxlogs.webhop.me

Virustotal: Detection: 11%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Virustotal: Detection: 74%			Perma Link

Multi AV Scanner detection for submitted file

Source: fLNzmBM9hR.exe	Virustotal: Detection: 74%			Perma Link
Source: fLNzmBM9hR.exe	ReversingLabs: Detection: 76%

Yara detected Nanocore RAT

Source: Yara match	File source: 11.2.MSBuild.exe.3f4ffbc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.6a90000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.3f4b186.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.6a94629.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.3f4ffbc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.3f545e5.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.6a90000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fLNzmBM9hR.exe.3d62528.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3081321042.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1736727761.0000000003F09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1736360700.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fLNzmBM9hR.exe PID: 6540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7292, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: fLNzmBM9hR.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: fLNzmBM9hR.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: fLNzmBM9hR.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Xml.ni.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: NanoCoreStressTester.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: Accessibility.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.ni.pdbRSDS source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: FileBrowserClient.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: NanoCoreBase.pdb\ source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Configuration.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3087398590.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3096562078.00000000077A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3096223687.0000000007750000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3087398590.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3096480105.0000000007790000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Core.ni.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Windows.Forms.pdbl source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: mscorlib.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Core.pdb7 source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.pdbH source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Drawing.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Management.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000006.00000002.3078911934.00000000015F5000.00000004.00000020.00020000.00000000.sdmp, dnshost.exe, 0000000C.00000000.1790740476.00000000006E2000.00000002.00000001.01000000.0000000E.sdmp, dnshost.exe.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: MyClientPlugin.pdbh source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Management.ni.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: MSBuild.exe, 00000006.00000002.3096285589.0000000007760000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: dows\exe\MSBuild.pdb4 source: MSBuild.exe, 00000006.00000002.3078911934.00000000015F5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdbMZ source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: MyClientPluginNew.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3096361141.0000000007770000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: MyClientPluginNew.pdbMZ@ source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.ni.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: MyClientPlugin.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3096414766.0000000007780000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: NanoCoreBase.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: NanoCoreStressTester.pdbt^ source: WERC6F3.tmp.dmp.20.dr

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_06ACE4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	6_2_077D02C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	6_2_077D02B9

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49732 -> 104.243.242.165:1620
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49736 -> 104.243.242.165:1620
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49737 -> 104.243.242.165:1620
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49744 -> 104.243.242.165:1620
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49745 -> 104.243.242.165:1620
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49746 -> 104.243.242.165:1620
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.4:49746 -> 104.243.242.165:1620
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49747 -> 104.243.242.165:1620
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49748 -> 104.243.242.165:1620
Source: Traffic	Snort IDS: 2046909 ET TROJAN NanoCore RAT Keepalive Response 1 104.243.242.165:1620 -> 192.168.2.4:49748
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49749 -> 104.243.242.165:1620
Source: Traffic	Snort IDS: 2046917 ET TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 104.243.242.165:1620 -> 192.168.2.4:49749
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49751 -> 104.243.242.165:1620
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49752 -> 104.243.242.165:1620

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: maxlogs.webhop.me
Source: Malware configuration extractor	URLs: newsddawork.3utilities.com

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 104.243.242.165:1620

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: VOXILITYGB VOXILITYGB

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.126.151
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.126.151

Source: global traffic

DNS traffic detected: DNS query: newsddawork.3utilities.com

Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3087398590.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3096480105.0000000007790000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://google.com
Source: fLNzmBM9hR.exe, 00000000.00000002.1673750956.0000000002A76000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.0000000003241000.00000004.00000800.00020000.00000000.sdmp, dgKDUvhlvCiVpa.exe, 00000007.00000002.1695292378.0000000002B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.20.dr	String found in binary or memory: http://upx.sf.net
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp, fLNzmBM9hR.exe, 00000000.00000002.1676472894.0000000005FAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: fLNzmBM9hR.exe, 00000000.00000002.1676427170.0000000005F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.monotype.
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

Network traffic detected: HTTP traffic on port 49675 -> 443

Installs a raw input device (often for capturing keystrokes)

Source: MSBuild.exe, 00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_d3b6dba2-6

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 11.2.MSBuild.exe.3f4ffbc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.6a90000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.3f4b186.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.6a94629.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.3f4ffbc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.3f545e5.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.6a90000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fLNzmBM9hR.exe.3d62528.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3081321042.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1736727761.0000000003F09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1736360700.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fLNzmBM9hR.exe PID: 6540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7292, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.MSBuild.exe.7720000.16.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7720000.16.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7720000.16.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.464513e.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7710000.15.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.464513e.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.464513e.10.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7710000.15.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7710000.15.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.79f0000.24.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.79f0000.24.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.79f0000.24.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7a30000.28.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7a30000.28.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7a30000.28.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.77e0000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.77e0000.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.77e0000.23.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7a30000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7a30000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7a30000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7780000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7780000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7780000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.MSBuild.exe.2f6db24.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.MSBuild.exe.2f6db24.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.MSBuild.exe.2f6db24.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.79f0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.79f0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.79f0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.77e0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.77e0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.77e0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.MSBuild.exe.3f4ffbc.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.MSBuild.exe.3f4ffbc.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.MSBuild.exe.3f4ffbc.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7a00000.26.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7a00000.26.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7a00000.26.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.6a90000.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.6a90000.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.6a90000.13.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7790000.21.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7790000.21.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7790000.21.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7770000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7770000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7770000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.455fa58.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.455fa58.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.455fa58.7.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7a04c9f.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7a04c9f.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7a04c9f.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7710000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7710000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7710000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.MSBuild.exe.3f4b186.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.MSBuild.exe.3f4b186.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.MSBuild.exe.3f4b186.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.MSBuild.exe.3f4b186.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.32c5c84.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.32c5c84.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.32c5c84.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7760000.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7760000.18.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7760000.18.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7790000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7790000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7790000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.463c30f.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.463c30f.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.463c30f.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7750000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7750000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7750000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.6a94629.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.6a94629.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.6a94629.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.464513e.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.464513e.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.464513e.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.MSBuild.exe.3f4ffbc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.MSBuild.exe.3f4ffbc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.MSBuild.exe.3f4ffbc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.465356e.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.MSBuild.exe.465356e.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.465356e.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7720000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7720000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7720000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.MSBuild.exe.3f545e5.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.MSBuild.exe.3f545e5.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.MSBuild.exe.3f545e5.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.6a90000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.6a90000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.6a90000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.455fa58.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.455fa58.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.455fa58.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.465356e.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.465356e.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.465356e.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.5f20000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.5f20000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.5f20000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7780000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7780000.20.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7780000.20.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.77a0000.22.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.77a0000.22.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.77a0000.22.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.455163c.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.455163c.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.455163c.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.77a0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.77a0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.77a0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7a0e8a4.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7a0e8a4.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7a0e8a4.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7760000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7760000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7760000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7a00000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.MSBuild.exe.7a00000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7a00000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.32d1e90.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.32d1e90.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.32d1e90.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.45646f7.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.455163c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.463c30f.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.45646f7.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.463c30f.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.MSBuild.exe.463c30f.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.326d510.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.326d510.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.326d510.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.45646f7.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.455163c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.MSBuild.exe.463c30f.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.455163c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.32c5c84.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.32c5c84.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.MSBuild.exe.32c5c84.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.32d1e90.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.32d1e90.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.MSBuild.exe.32d1e90.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.32e649c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.32e649c.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.MSBuild.exe.32e649c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.3092185822.0000000005F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3092185822.0000000005F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3092185822.0000000005F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.3096285589.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3096285589.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3096285589.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.3087398590.0000000004543000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3095814524.0000000007710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3095814524.0000000007710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3095814524.0000000007710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.3095890255.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3095890255.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3095890255.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.3097033300.00000000079F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3097033300.00000000079F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3097033300.00000000079F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.3097298200.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3097298200.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3097298200.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.3096864447.00000000077E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3096864447.00000000077E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3096864447.00000000077E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.3096361141.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3096361141.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3096361141.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.3097114258.0000000007A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3097114258.0000000007A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3097114258.0000000007A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.3096223687.0000000007750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3096223687.0000000007750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3096223687.0000000007750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3096480105.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.3096480105.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3096480105.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.3096562078.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3096562078.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3096562078.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.3087398590.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3087398590.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.3081321042.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.3096414766.0000000007780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3096414766.0000000007780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3096414766.0000000007780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000B.00000002.1736727761.0000000003F09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000B.00000002.1736727761.0000000003F09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.1736360700.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000B.00000002.1736360700.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: fLNzmBM9hR.exe PID: 6540, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: fLNzmBM9hR.exe PID: 6540, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: fLNzmBM9hR.exe PID: 6540, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: fLNzmBM9hR.exe PID: 6540, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: MSBuild.exe PID: 7012, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: MSBuild.exe PID: 7012, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSBuild.exe PID: 7012, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: MSBuild.exe PID: 7292, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: MSBuild.exe PID: 7292, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSBuild.exe PID: 7292, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: MSBuild.exe PID: 7292, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group

Detected potential crypto function

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Code function: 0_2_00D6D2E4	0_2_00D6D2E4
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Code function: 0_2_04A95520	0_2_04A95520
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Code function: 0_2_04A93628	0_2_04A93628
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Code function: 0_2_04A90AB9	0_2_04A90AB9
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Code function: 0_2_04A90AC8	0_2_04A90AC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_017ED344	6_2_017ED344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_06ACB658	6_2_06ACB658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_06AC1D58	6_2_06AC1D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_06ACC270	6_2_06ACC270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_06ACC32E	6_2_06ACC32E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_06AC0140	6_2_06AC0140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_077D3798	6_2_077D3798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_077DB660	6_2_077DB660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_077DAD60	6_2_077DAD60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_077D65B8	6_2_077D65B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_077D4C90	6_2_077D4C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_077DA490	6_2_077DA490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_077D43B0	6_2_077D43B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_077D446E	6_2_077D446E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_077D728E	6_2_077D728E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_077DA148	6_2_077DA148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_077D71D0	6_2_077D71D0
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_00F1D2E4	7_2_00F1D2E4
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_00FD4940	7_2_00FD4940
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_00FD2A48	7_2_00FD2A48
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B4758	7_2_071B4758
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B3BF8	7_2_071B3BF8
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B4748	7_2_071B4748
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B3637	7_2_071B3637
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B3648	7_2_071B3648
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071BD6B0	7_2_071BD6B0
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071BB5D0	7_2_071BB5D0
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071BCCA8	7_2_071BCCA8
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B3BE8	7_2_071B3BE8
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071BBA08	7_2_071BBA08
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071BF950	7_2_071BF950
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071BF960	7_2_071BF960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 11_2_0155D344	11_2_0155D344
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 12_2_00E55A49	12_2_00E55A49
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 12_2_00E52B90	12_2_00E52B90

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7012 -s 1416

Sample file is different than original file name gathered from version info

Source: fLNzmBM9hR.exe, 00000000.00000002.1677098272.0000000007567000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameschtasks.exej% vs fLNzmBM9hR.exe
Source: fLNzmBM9hR.exe, 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs fLNzmBM9hR.exe
Source: fLNzmBM9hR.exe, 00000000.00000002.1672969464.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs fLNzmBM9hR.exe
Source: fLNzmBM9hR.exe, 00000000.00000002.1676153949.00000000054E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs fLNzmBM9hR.exe
Source: fLNzmBM9hR.exe, 00000000.00000002.1677607202.0000000007B40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs fLNzmBM9hR.exe
Source: fLNzmBM9hR.exe	Binary or memory string: OriginalFilenameXBxR.exe. vs fLNzmBM9hR.exe

Uses 32bit PE files

Source: fLNzmBM9hR.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 6.2.MSBuild.exe.7720000.16.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7720000.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7720000.16.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.464513e.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7710000.15.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.464513e.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.464513e.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7710000.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7710000.15.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.79f0000.24.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.79f0000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.79f0000.24.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7a30000.28.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7a30000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7a30000.28.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.77e0000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.77e0000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.77e0000.23.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7a30000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7a30000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7a30000.28.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7780000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7780000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7780000.20.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.MSBuild.exe.2f6db24.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.MSBuild.exe.2f6db24.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.MSBuild.exe.2f6db24.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.79f0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.79f0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.79f0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.77e0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.77e0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.77e0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.MSBuild.exe.3f4ffbc.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.MSBuild.exe.3f4ffbc.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.MSBuild.exe.3f4ffbc.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7a00000.26.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7a00000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7a00000.26.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.6a90000.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.6a90000.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.6a90000.13.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7790000.21.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7790000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7790000.21.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7770000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7770000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7770000.19.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.455fa58.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.455fa58.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.455fa58.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7a04c9f.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7a04c9f.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7a04c9f.27.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7710000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7710000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7710000.15.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.MSBuild.exe.3f4b186.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.MSBuild.exe.3f4b186.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.MSBuild.exe.3f4b186.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.MSBuild.exe.3f4b186.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.32c5c84.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.32c5c84.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.32c5c84.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7760000.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7760000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7760000.18.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7790000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7790000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7790000.21.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.463c30f.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.463c30f.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.463c30f.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7750000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7750000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7750000.17.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.6a94629.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.6a94629.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.6a94629.12.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.464513e.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.464513e.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.464513e.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.MSBuild.exe.3f4ffbc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.MSBuild.exe.3f4ffbc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.MSBuild.exe.3f4ffbc.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.465356e.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.MSBuild.exe.465356e.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.465356e.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7720000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7720000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7720000.16.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.MSBuild.exe.3f545e5.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.MSBuild.exe.3f545e5.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.MSBuild.exe.3f545e5.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.6a90000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.6a90000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.6a90000.13.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.455fa58.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.455fa58.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.455fa58.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.465356e.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.465356e.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.465356e.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.5f20000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.5f20000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.5f20000.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7780000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7780000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7780000.20.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.77a0000.22.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.77a0000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.77a0000.22.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.455163c.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.455163c.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.455163c.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.77a0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.77a0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.77a0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7a0e8a4.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7a0e8a4.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7a0e8a4.25.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7760000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7760000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7760000.18.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7a00000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.MSBuild.exe.7a00000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7a00000.26.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.32d1e90.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.32d1e90.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.32d1e90.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.45646f7.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.455163c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.463c30f.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.45646f7.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.463c30f.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.MSBuild.exe.463c30f.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.326d510.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.326d510.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.326d510.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.45646f7.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.455163c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.MSBuild.exe.463c30f.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.455163c.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.32c5c84.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.32c5c84.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.MSBuild.exe.32c5c84.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.32d1e90.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.32d1e90.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.MSBuild.exe.32d1e90.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.32e649c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.32e649c.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.MSBuild.exe.32e649c.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.3092185822.0000000005F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3092185822.0000000005F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3092185822.0000000005F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.3096285589.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3096285589.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3096285589.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.3087398590.0000000004543000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3095814524.0000000007710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3095814524.0000000007710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3095814524.0000000007710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.3095890255.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3095890255.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3095890255.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.3097033300.00000000079F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3097033300.00000000079F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3097033300.00000000079F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.3097298200.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3097298200.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3097298200.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.3096864447.00000000077E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3096864447.00000000077E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3096864447.00000000077E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.3096361141.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3096361141.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3096361141.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.3097114258.0000000007A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3097114258.0000000007A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3097114258.0000000007A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.3096223687.0000000007750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3096223687.0000000007750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3096223687.0000000007750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3096480105.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.3096480105.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3096480105.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.3096562078.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3096562078.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3096562078.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.3087398590.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3087398590.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.3081321042.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.3096414766.0000000007780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3096414766.0000000007780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3096414766.0000000007780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000B.00000002.1736727761.0000000003F09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000B.00000002.1736727761.0000000003F09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.1736360700.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000B.00000002.1736360700.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: fLNzmBM9hR.exe PID: 6540, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: fLNzmBM9hR.exe PID: 6540, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: fLNzmBM9hR.exe PID: 6540, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: fLNzmBM9hR.exe PID: 6540, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: MSBuild.exe PID: 7012, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: MSBuild.exe PID: 7012, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: MSBuild.exe PID: 7012, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: MSBuild.exe PID: 7292, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: MSBuild.exe PID: 7292, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: MSBuild.exe PID: 7292, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: MSBuild.exe PID: 7292, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research

Source: fLNzmBM9hR.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dgKDUvhlvCiVpa.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, Mt0ImfW2NMZoNJ1Hiu.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, Mt0ImfW2NMZoNJ1Hiu.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, KG7cbGbyJ7qmmE4UuJ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, KG7cbGbyJ7qmmE4UuJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, KG7cbGbyJ7qmmE4UuJ.cs	Security API names: _0020.AddAccessRule
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, KG7cbGbyJ7qmmE4UuJ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, KG7cbGbyJ7qmmE4UuJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, KG7cbGbyJ7qmmE4UuJ.cs	Security API names: _0020.AddAccessRule

Source: 0.2.fLNzmBM9hR.exe.54c0000.5.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.fLNzmBM9hR.exe.2a56e68.0.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.fLNzmBM9hR.exe.2a46e50.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: MSBuild.exe, 00000006.00000002.3078911934.00000000015F5000.00000004.00000020.00020000.00000000.sdmp, dnshost.exe, 0000000C.00000000.1790740476.00000000006E2000.00000002.00000001.01000000.0000000E.sdmp, dnshost.exe.6.dr	Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: MSBuild.exe, 00000006.00000002.3078911934.00000000015F5000.00000004.00000020.00020000.00000000.sdmp, dnshost.exe, 0000000C.00000000.1790740476.00000000006E2000.00000002.00000001.01000000.0000000E.sdmp, dnshost.exe.6.dr	Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: MSBuild.exe, 00000006.00000002.3078911934.00000000015F5000.00000004.00000020.00020000.00000000.sdmp, dnshost.exe, 0000000C.00000000.1790740476.00000000006E2000.00000002.00000001.01000000.0000000E.sdmp, dnshost.exe.6.dr	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: dnshost.exe, 0000000C.00000002.1799913093.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q%C:\Program Files (x86)\DNS Host\*.sln
Source: MSBuild.exe, 00000006.00000002.3078911934.00000000015F5000.00000004.00000020.00020000.00000000.sdmp, dnshost.exe, 0000000C.00000000.1790740476.00000000006E2000.00000002.00000001.01000000.0000000E.sdmp, dnshost.exe, 0000000C.00000002.1799913093.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe.6.dr	Binary or memory string: *.sln
Source: dnshost.exe, 0000000C.00000002.1798358511.0000000000B44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files (x86)\DNS Host\<.slnn<#N
Source: MSBuild.exe, 00000006.00000002.3078911934.00000000015F5000.00000004.00000020.00020000.00000000.sdmp, dnshost.exe, 0000000C.00000000.1790740476.00000000006E2000.00000002.00000001.01000000.0000000E.sdmp, dnshost.exe.6.dr	Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: MSBuild.exe, 00000006.00000002.3078911934.00000000015F5000.00000004.00000020.00020000.00000000.sdmp, dnshost.exe, 0000000C.00000000.1790740476.00000000006E2000.00000002.00000001.01000000.0000000E.sdmp, dnshost.exe.6.dr	Binary or memory string: /ignoreprojectextensions:.sln
Source: MSBuild.exe, 00000006.00000002.3078911934.00000000015F5000.00000004.00000020.00020000.00000000.sdmp, dnshost.exe, 0000000C.00000000.1790740476.00000000006E2000.00000002.00000001.01000000.0000000E.sdmp, dnshost.exe.6.dr	Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.

Source: classification engine

Classification label: mal100.troj.evad.winEXE@19/23@16/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Program Files (x86)\DNS Host

Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Mutant created: \Sessions\1\BaseNamedObjects\VORvjohFncKJWkVKKJ
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7256:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7012
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{1fa46b72-10f9-4da3-bc15-84dde165706d}

Source: unknown	Process created: C:\Users\user\Desktop\fLNzmBM9hR.exe "C:\Users\user\Desktop\fLNzmBM9hR.exe"
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dgKDUvhlvCiVpa" /XML "C:\Users\user\AppData\Local\Temp\tmp7751.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dgKDUvhlvCiVpa" /XML "C:\Users\user\AppData\Local\Temp\tmp802A.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: unknown	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7012 -s 1416
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe"	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dgKDUvhlvCiVpa" /XML "C:\Users\user\AppData\Local\Temp\tmp7751.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dgKDUvhlvCiVpa" /XML "C:\Users\user\AppData\Local\Temp\tmp802A.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptbase.dll

Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dqf3c4WtE_0024_0024thN5QyBMvo3u0lth2VF5hmfUsIv1r8yRkg_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dq_FL69pQf17BUSAFbWYu1SStMAbdu_0024R1GJ8VY8UL5_EA_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, --qxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecU-.cs	.Net Code: _0023_003DqKU0J1fiP8KA33eFK1owekQ_003D_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dqf3c4WtE_0024_0024thN5QyBMvo3u0lth2VF5hmfUsIv1r8yRkg_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dq_FL69pQf17BUSAFbWYu1SStMAbdu_0024R1GJ8VY8UL5_EA_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, --qxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecU-.cs	.Net Code: _0023_003DqKU0J1fiP8KA33eFK1owekQ_003D_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, KG7cbGbyJ7qmmE4UuJ.cs	.Net Code: yvpR39ZiHZ System.Reflection.Assembly.Load(byte[])
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, KG7cbGbyJ7qmmE4UuJ.cs	.Net Code: yvpR39ZiHZ System.Reflection.Assembly.Load(byte[])
Source: 0.2.fLNzmBM9hR.exe.54e0000.6.raw.unpack, LoginForm.cs	.Net Code: _206B_206C_202A_202D_206F_206F_206C_202D_206A_202A_200B_206C_206E_206A_206D_206B_202C_206E_200C_206F_200D_206D_200C_200F_202C_206C_202E_206B_202B_202E_206E_206B_206B_206D_206C_202C_200D_202E_202C_200E_202E System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_00F1F478 push esp; iretd	7_2_00F1F479
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_00FD0D13 push eax; iretd	7_2_00FD0D1D
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B7705 push ecx; iretd	7_2_071B7706
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B775E push eax; iretd	7_2_071B775F
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B7749 push eax; iretd	7_2_071B774B
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B7775 push eax; iretd	7_2_071B7776
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B77D6 push ax; iretd	7_2_071B77D8
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B77C3 push eax; iretd	7_2_071B77C4
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B77F0 push eax; iretd	7_2_071B77F2
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B761B push edx; iretd	7_2_071B761C
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B769F push ecx; iretd	7_2_071B76A1
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B76B7 push ecx; iretd	7_2_071B76B8
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B76DA push ecx; iretd	7_2_071B76DB
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B76ED push ecx; iretd	7_2_071B76EF
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B7505 push ebx; iretd	7_2_071B7507
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B7520 push ebx; iretd	7_2_071B7521
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B7599 push edx; iretd	7_2_071B759A
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B75AD push edx; iretd	7_2_071B75AE
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B75C7 push edx; iretd	7_2_071B75C8
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B75EC push edx; iretd	7_2_071B75EE
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B740D push esp; iretd	7_2_071B740F
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B744E push ebx; iretd	7_2_071B7450
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B747A push ebx; iretd	7_2_071B747B
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B7463 push ebx; iretd	7_2_071B7464
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B74F1 push ebx; iretd	7_2_071B74F3
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B7310 push ebp; iretd	7_2_071B7316
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B7327 push ebp; iretd	7_2_071B732D
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B7372 push esp; iretd	7_2_071B7373
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B738F push esp; iretd	7_2_071B7391
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B73BB push esp; iretd	7_2_071B73BC
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B73A3 push esp; iretd	7_2_071B73A5

Source: fLNzmBM9hR.exe	Static PE information: section name: .text entropy: 7.9781458639858265
Source: dgKDUvhlvCiVpa.exe.0.dr	Static PE information: section name: .text entropy: 7.9781458639858265

Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, kneA8pFPEWPb7xDiGt.cs	High entropy of concatenated method names: 'LE0TkYUrhw', 'b92Tfis3WT', 'VRXTQbgweT', 'BYaTdJJ9gu', 'GjXTpdnJL5', 'MXRTPBk2RH', 'jW4TbfUINy', 'dJMTVjRgNj', 'agyT5btdTi', 'HbUTAxEQwC'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, VOWNRHQX9kUKKcoL7i.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fIbxClxsN7', 'THyxvmpG20', 'VFNxzur7lQ', 'aww0hZYeLT', 'oS20eLyA0N', 'HBP0xw6vKQ', 'b6W00vEOiD', 'sWGUMe4nfyA636cqhHS'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, KlQkb2r7oFN52Q2qZe.cs	High entropy of concatenated method names: 'ToString', 'pOHGUtVLhe', 'lfsG71ffJT', 'q2cGspZEPs', 'EYsGmSXcA4', 'elIGLekvNe', 'nMcGI0ts9K', 'WrJGaW3F4D', 'AtpGnkIkXe', 'c0iGwG3DZ1'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, H56QvGabV6fscrZUYr.cs	High entropy of concatenated method names: 'u2IPkIIqGp', 'DxEPQLk8Rb', 'eEiPpsj4gl', 'k9Spv1USls', 'RwLpzjC2QC', 'UXCPhQXIgG', 'zf0PesVyCg', 'trIPxiZKDY', 'BcWP0bFxlv', 'BKTPRdUmlr'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, nxmtI7gx39DWI5vnUl.cs	High entropy of concatenated method names: 'RRHpDC56aw', 'OYepf5XTPQ', 'EWnpdQ7jfQ', 'hytpPSXtSM', 'fdVpbG7vcS', 'P3vd806QDT', 'E5gdB3rDyM', 'HlndjqoKVv', 'SXFdFSJxn2', 'FpRdCaZ1fm'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, SNZRMVe0WdymfJlynVe.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'r6NY4JEuY5', 'r0GYO8dkcQ', 'RICYraP9rt', 'fjWYZaPhch', 'SUvY83U25D', 'OiEYBKTyYZ', 'DTNYjSsape'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, p8SIOJzyxjsivyojIV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cZZlSSTn6x', 'iFKlM5nK5i', 'jTilGMmKke', 'l9ylyUDsue', 'sQ4lTSATjr', 'j2kll2hiJ4', 'zgOlYGmjim'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, oqdAOl97dxk3nqr3cY.cs	High entropy of concatenated method names: 'P7wdJRtQt2', 'BbldXXb4Uy', 'ioEQseG7Rs', 'iXmQmC5uGU', 'OAOQLQCCbp', 'RlRQI9vHfx', 'RsWQaDjYaM', 'EOZQnax6pc', 'RQVQwBLgmF', 'do9QH8eIEi'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, Vv1F3Ifw1mbQLiAjti.cs	High entropy of concatenated method names: 'Dispose', 'waVeCIQUdd', 'Prwx7jOsZO', 'kGbyyp7xZI', 'ibneveA8pP', 'tWPezb7xDi', 'ProcessDialogKey', 'ptRxhTafJC', 'zlRxeLvdPD', 'hEfxxQ8ZHe'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, sPwtxoehqmVp9W195LG.cs	High entropy of concatenated method names: 'nlVlq1dtAl', 'SJMli81HCy', 'mFul353nYy', 'fC7l2AF6WO', 'DJglJies54', 'sRJlKiYgG4', 'vaklXy7dmn', 'K6BlWtejXF', 'n3vloUJn24', 'FAjl9T1Q2S'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, Kc4J6S4Iblnb55We4o.cs	High entropy of concatenated method names: 'vyJMHEXSp7', 'wCgMud8ppU', 'orUM47KOrI', 'CnZMOGug4j', 'cQmM7in6EY', 'h52Mshe95x', 'TJbMmdCK3w', 'mtaMLmLHx0', 'qIXMIZZI40', 'zHBMabLnbH'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, dDlMY8RqgfYN8K0INW.cs	High entropy of concatenated method names: 'QenePt0Imf', 'ANMebZoNJ1', 'Pg0e5KJQWa', 'QJYeAJSqdA', 'xr3eMcYAxm', 'vI7eGx39DW', 'gxNZpHf5wSm3ka96Wl', 'keRQ6qtLOa93XpaTu0', 'AEMeeRtPkv', 'tfHe0D8rkQ'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, dTafJCC3lRLvdPDdEf.cs	High entropy of concatenated method names: 'jdxTgPRLiq', 'AWUT7UrRCx', 'cHxTsrjXQS', 'cr8TmuOYke', 'wnwT4Q2yun', 'pYCTLB4NRR', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, KG7cbGbyJ7qmmE4UuJ.cs	High entropy of concatenated method names: 'ff90DkIOna', 'SaY0k8sjTV', 'oYf0f44rtA', 'khU0Q4q728', 'Kfm0dWpd4R', 'acX0pUJ6KN', 'QyK0PRBM6J', 'B680bhmkNC', 'Hlb0VyLJjD', 'hOt05P6tG4'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, OmbQxuxUcHKEMN2xZL.cs	High entropy of concatenated method names: 'c8Z3nD5wy', 'dKV2D91eu', 'uR7KfpQNw', 'bpUX5QXBJ', 'PeJoPvF7h', 'UGB9rjwuK', 'Qa22cJuJnWtC7gYR1V', 'fgBjRt2TIxCNAanFdO', 'VMrT4vpaL', 'tJoY6PXJi'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, hjHIYLB4SSpneZSvS0.cs	High entropy of concatenated method names: 'f8fyF9Gdi0', 'MaYyv4dM3T', 'NvFThNEkLm', 'GydTeKymv7', 'dDwyUqEerM', 'ghXyuOcqjb', 'TbqycZN1vm', 'l30y4CW03L', 'bamyOHiYMn', 'vU3yrOkxZL'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, x1Cfjuog0KJQWacJYJ.cs	High entropy of concatenated method names: 'UPaQ2PeUcM', 'jdcQKMtRxa', 'xMGQW9TDoi', 'Ga6Qo1lQRv', 'XODQMNa5Qq', 'flqQGEYVcJ', 'J60Qy80Y1g', 'eDUQTYBT0q', 'tQWQlU6Zg0', 'NQrQYf0Men'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, FPrNA1Z02HXpGH8rCh.cs	High entropy of concatenated method names: 'xiOy5R0ao2', 'q46yABaDjF', 'ToString', 'pPDyk6YqCc', 'f0AyfOSs8s', 'Y2VyQQEahy', 'AjmydRhqP8', 'E5Eyp9p2AE', 'DcJyPWkyX7', 'z4HybRHxxh'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, Mt0ImfW2NMZoNJ1Hiu.cs	High entropy of concatenated method names: 'QDif46Drsu', 'MmwfOTiPA0', 'QfHfrK5QrX', 'vE5fZ9l56w', 'JVuf8yUwsV', 'AxbfBx0TSa', 'ROXfjGZP7H', 'tXffF792Sf', 'uMefCqcGaD', 'XmFfvYoIBW'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, RlrJ8Bc659FMOLPpT3.cs	High entropy of concatenated method names: 'mJBSWdbYLI', 'o5USoi1ml2', 'GiqSgjmvsF', 'UTqS7owb9m', 'LyOSmWWxJG', 'C57SL6jv7v', 'tGESaxcefT', 'oKLSnCcgqV', 'RDNSHgJAv4', 'psUSUxphYk'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, dHTFucwCCrkagJNH24.cs	High entropy of concatenated method names: 'iZaPqv6onw', 'o4EPikqcDk', 'tLwP3msrMx', 'RgEP2gnuOv', 'Mu6PJHQGr5', 'w1pPK4MgcT', 'fr3PXUgyah', 'S8TPWxBQ3x', 's9gPov7L7r', 'u86P9upIGS'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, h8ZHejv5d21rwX7obe.cs	High entropy of concatenated method names: 'bcQleb9j0a', 'xpwl09E9dE', 'TiblRHSlU5', 'nkulkN7vwU', 'Q6mlfjFkvU', 'rRHld7v3xv', 'UO4lpo2F5L', 'y0kTjbfxcl', 'KYnTFuv2sc', 'PsoTC76ZN6'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, kneA8pFPEWPb7xDiGt.cs	High entropy of concatenated method names: 'LE0TkYUrhw', 'b92Tfis3WT', 'VRXTQbgweT', 'BYaTdJJ9gu', 'GjXTpdnJL5', 'MXRTPBk2RH', 'jW4TbfUINy', 'dJMTVjRgNj', 'agyT5btdTi', 'HbUTAxEQwC'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, VOWNRHQX9kUKKcoL7i.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fIbxClxsN7', 'THyxvmpG20', 'VFNxzur7lQ', 'aww0hZYeLT', 'oS20eLyA0N', 'HBP0xw6vKQ', 'b6W00vEOiD', 'sWGUMe4nfyA636cqhHS'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, KlQkb2r7oFN52Q2qZe.cs	High entropy of concatenated method names: 'ToString', 'pOHGUtVLhe', 'lfsG71ffJT', 'q2cGspZEPs', 'EYsGmSXcA4', 'elIGLekvNe', 'nMcGI0ts9K', 'WrJGaW3F4D', 'AtpGnkIkXe', 'c0iGwG3DZ1'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, H56QvGabV6fscrZUYr.cs	High entropy of concatenated method names: 'u2IPkIIqGp', 'DxEPQLk8Rb', 'eEiPpsj4gl', 'k9Spv1USls', 'RwLpzjC2QC', 'UXCPhQXIgG', 'zf0PesVyCg', 'trIPxiZKDY', 'BcWP0bFxlv', 'BKTPRdUmlr'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, nxmtI7gx39DWI5vnUl.cs	High entropy of concatenated method names: 'RRHpDC56aw', 'OYepf5XTPQ', 'EWnpdQ7jfQ', 'hytpPSXtSM', 'fdVpbG7vcS', 'P3vd806QDT', 'E5gdB3rDyM', 'HlndjqoKVv', 'SXFdFSJxn2', 'FpRdCaZ1fm'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, SNZRMVe0WdymfJlynVe.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'r6NY4JEuY5', 'r0GYO8dkcQ', 'RICYraP9rt', 'fjWYZaPhch', 'SUvY83U25D', 'OiEYBKTyYZ', 'DTNYjSsape'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, p8SIOJzyxjsivyojIV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cZZlSSTn6x', 'iFKlM5nK5i', 'jTilGMmKke', 'l9ylyUDsue', 'sQ4lTSATjr', 'j2kll2hiJ4', 'zgOlYGmjim'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, oqdAOl97dxk3nqr3cY.cs	High entropy of concatenated method names: 'P7wdJRtQt2', 'BbldXXb4Uy', 'ioEQseG7Rs', 'iXmQmC5uGU', 'OAOQLQCCbp', 'RlRQI9vHfx', 'RsWQaDjYaM', 'EOZQnax6pc', 'RQVQwBLgmF', 'do9QH8eIEi'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, Vv1F3Ifw1mbQLiAjti.cs	High entropy of concatenated method names: 'Dispose', 'waVeCIQUdd', 'Prwx7jOsZO', 'kGbyyp7xZI', 'ibneveA8pP', 'tWPezb7xDi', 'ProcessDialogKey', 'ptRxhTafJC', 'zlRxeLvdPD', 'hEfxxQ8ZHe'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, sPwtxoehqmVp9W195LG.cs	High entropy of concatenated method names: 'nlVlq1dtAl', 'SJMli81HCy', 'mFul353nYy', 'fC7l2AF6WO', 'DJglJies54', 'sRJlKiYgG4', 'vaklXy7dmn', 'K6BlWtejXF', 'n3vloUJn24', 'FAjl9T1Q2S'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, Kc4J6S4Iblnb55We4o.cs	High entropy of concatenated method names: 'vyJMHEXSp7', 'wCgMud8ppU', 'orUM47KOrI', 'CnZMOGug4j', 'cQmM7in6EY', 'h52Mshe95x', 'TJbMmdCK3w', 'mtaMLmLHx0', 'qIXMIZZI40', 'zHBMabLnbH'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, dDlMY8RqgfYN8K0INW.cs	High entropy of concatenated method names: 'QenePt0Imf', 'ANMebZoNJ1', 'Pg0e5KJQWa', 'QJYeAJSqdA', 'xr3eMcYAxm', 'vI7eGx39DW', 'gxNZpHf5wSm3ka96Wl', 'keRQ6qtLOa93XpaTu0', 'AEMeeRtPkv', 'tfHe0D8rkQ'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, dTafJCC3lRLvdPDdEf.cs	High entropy of concatenated method names: 'jdxTgPRLiq', 'AWUT7UrRCx', 'cHxTsrjXQS', 'cr8TmuOYke', 'wnwT4Q2yun', 'pYCTLB4NRR', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, KG7cbGbyJ7qmmE4UuJ.cs	High entropy of concatenated method names: 'ff90DkIOna', 'SaY0k8sjTV', 'oYf0f44rtA', 'khU0Q4q728', 'Kfm0dWpd4R', 'acX0pUJ6KN', 'QyK0PRBM6J', 'B680bhmkNC', 'Hlb0VyLJjD', 'hOt05P6tG4'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, OmbQxuxUcHKEMN2xZL.cs	High entropy of concatenated method names: 'c8Z3nD5wy', 'dKV2D91eu', 'uR7KfpQNw', 'bpUX5QXBJ', 'PeJoPvF7h', 'UGB9rjwuK', 'Qa22cJuJnWtC7gYR1V', 'fgBjRt2TIxCNAanFdO', 'VMrT4vpaL', 'tJoY6PXJi'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, hjHIYLB4SSpneZSvS0.cs	High entropy of concatenated method names: 'f8fyF9Gdi0', 'MaYyv4dM3T', 'NvFThNEkLm', 'GydTeKymv7', 'dDwyUqEerM', 'ghXyuOcqjb', 'TbqycZN1vm', 'l30y4CW03L', 'bamyOHiYMn', 'vU3yrOkxZL'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, x1Cfjuog0KJQWacJYJ.cs	High entropy of concatenated method names: 'UPaQ2PeUcM', 'jdcQKMtRxa', 'xMGQW9TDoi', 'Ga6Qo1lQRv', 'XODQMNa5Qq', 'flqQGEYVcJ', 'J60Qy80Y1g', 'eDUQTYBT0q', 'tQWQlU6Zg0', 'NQrQYf0Men'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, FPrNA1Z02HXpGH8rCh.cs	High entropy of concatenated method names: 'xiOy5R0ao2', 'q46yABaDjF', 'ToString', 'pPDyk6YqCc', 'f0AyfOSs8s', 'Y2VyQQEahy', 'AjmydRhqP8', 'E5Eyp9p2AE', 'DcJyPWkyX7', 'z4HybRHxxh'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, Mt0ImfW2NMZoNJ1Hiu.cs	High entropy of concatenated method names: 'QDif46Drsu', 'MmwfOTiPA0', 'QfHfrK5QrX', 'vE5fZ9l56w', 'JVuf8yUwsV', 'AxbfBx0TSa', 'ROXfjGZP7H', 'tXffF792Sf', 'uMefCqcGaD', 'XmFfvYoIBW'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, RlrJ8Bc659FMOLPpT3.cs	High entropy of concatenated method names: 'mJBSWdbYLI', 'o5USoi1ml2', 'GiqSgjmvsF', 'UTqS7owb9m', 'LyOSmWWxJG', 'C57SL6jv7v', 'tGESaxcefT', 'oKLSnCcgqV', 'RDNSHgJAv4', 'psUSUxphYk'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, dHTFucwCCrkagJNH24.cs	High entropy of concatenated method names: 'iZaPqv6onw', 'o4EPikqcDk', 'tLwP3msrMx', 'RgEP2gnuOv', 'Mu6PJHQGr5', 'w1pPK4MgcT', 'fr3PXUgyah', 'S8TPWxBQ3x', 's9gPov7L7r', 'u86P9upIGS'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, h8ZHejv5d21rwX7obe.cs	High entropy of concatenated method names: 'bcQleb9j0a', 'xpwl09E9dE', 'TiblRHSlU5', 'nkulkN7vwU', 'Q6mlfjFkvU', 'rRHld7v3xv', 'UO4lpo2F5L', 'y0kTjbfxcl', 'KYnTFuv2sc', 'PsoTC76ZN6'

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	File created: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Program Files (x86)\DNS Host\dnshost.exe			Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run DNS Host			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run DNS Host			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Memory allocated: D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Memory allocated: 2A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Memory allocated: 4A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Memory allocated: 7BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Memory allocated: 8BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Memory allocated: 8E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Memory allocated: 9E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 3240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Memory allocated: ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Memory allocated: 2A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Memory allocated: F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Memory allocated: 75C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Memory allocated: 85C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Memory allocated: 8860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Memory allocated: 9860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 14E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: E50000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 2BB0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 28F0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7561	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 4591	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 5195	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: foregroundWindowGot 653	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: foregroundWindowGot 894	Jump to behavior

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe TID: 6604	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6320	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3684	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe TID: 2640	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7320	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe TID: 7580	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: Amcache.hve.20.dr	Binary or memory string: VMware
Source: Amcache.hve.20.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.20.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.20.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.20.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.20.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.20.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.20.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.20.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: MSBuild.exe, 00000006.00000002.3093865655.0000000006860000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli
Source: Amcache.hve.20.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.20.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.20.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.20.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.20.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: dgKDUvhlvCiVpa.exe, 00000007.00000002.1693658054.0000000000CD4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.20.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.20.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.20.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.20.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.20.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.20.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.20.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.20.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.20.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.20.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.20.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.20.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.20.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.20.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.20.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 420000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 422000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D08008	Jump to behavior

Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\I
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql(z
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000034D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT.M
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<H=
Source: MSBuild.exe, 00000006.00000002.3081321042.0000000003618000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.00000000034D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000034D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP-
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.0000000003554000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`'C
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8}{
Source: MSBuild.exe, 00000006.00000002.3081321042.0000000003554000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql*[
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,=@
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`s~
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP
Source: MSBuild.exe, 00000006.00000002.3097430254.0000000007B7D000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program ManagerManager
Source: MSBuild.exe, 00000006.00000002.3081321042.0000000003554000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0jX
Source: MSBuild.exe, 00000006.00000002.3081321042.0000000003612000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$(a
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q#C
Source: MSBuild.exe, 00000006.00000002.3095776311.000000000770D000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Managerh
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000036A5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4fj
Source: MSBuild.exe, 00000006.00000002.3081321042.0000000003554000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000385A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.000000000384E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3093806559.000000000685C000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlUH
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q 2E
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@^H
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,f~
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.0000000003554000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx
Source: MSBuild.exe, 00000006.00000002.3081321042.0000000003554000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0JU
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q438
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000385A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager4V
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.00000000034F4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.000000000373A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP)E
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.00000000034F4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerlB^q
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.00000000034D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager8
Source: MSBuild.exe, 00000006.00000002.3081321042.0000000003554000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlU[
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4w
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$H@

Source: Amcache.hve.20.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.20.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.20.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.20.dr	Binary or memory string: MsMpEng.exe

Windows Analysis Report fLNzmBM9hR.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
fLNzmBM9hR.exe

Malware Threat Intel
Provided by

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Name	IP	Active
newsddawork.3utilities.com	104.243.242.165	true
fp2e7a.wpc.phicdn.net	192.229.221.95	true

Name	Malicious	Antivirus Detection	Reputation
maxlogs.webhop.me	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
newsddawork.3utilities.com	true	Avira URL Cloud: safe	unknown

ID:	1446518
Product:	CloudBasic
Start time:	15:46:06
Start date:	23.05.2024
Sample:	fLNzmBM9hR.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	14239732dbddfe922c297fdeac56a062
SHA1:	3f4f6454c4a2c1c5d1e10d5f841ce14eef00a785
SHA256:	1805439355f48464312b4f9c0e16301c5f211c204e197c2000e7342c8db95c00
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\DNS Host\dnshost.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	8FDF47E0FF70C40ED3A17014AEEA4232	E6256A0159688F0560B015DA4D967F41CBF8C9BD	ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MSBuild.exe_f553dd681214908324f05d7ad9ebff8e6dc2a494_1623435c_b407573d-7935-418a-89b8-f36dbc0c1682\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	357C0CCE0D3985AA2727954EE45108F7	D026A0FE987268A96D2A5A7B4C187DB835A3633A	EC831972621875F642E43FB578DF5E8A97C055EB38AD9FA4756B5D28491BC1A5
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4924.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	EEEB85974DBBC23CCE93DD4EBFA89487	96CB96E8648F1248533F19A6D4909B5BABC8EF27	EF5F4F79E7B2B7A2082856BD8D2E0508778A92ADD6B0CBDBE0C3EB2C37A29B5E
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4963.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	1F916E307E706C9B0C94258BCBECD419	121B704EAD94560A642B46937982371BEBA50891	E006E0E05393ECA17C28711A9F49A9D9BA6F16479668399FC7F6719A413EF627
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6F3.tmp.dmp	Mini DuMP crash report, 15 streams, Thu May 23 13:49:04 2024, 0x1205a4 type	4B2736E6A5D8F991649778399B3CE3F7	F5C0941BF1560D0AA725417F47AF793AAA475418	E099A0036952B01300922613A243CEB751E78699BC9EE2486141EB1843DC4126
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log	ASCII text, with CRLF line terminators	7B709BC412BEC5C3CFD861C041DAD408	532EA6BB3018AE3B51E7A5788F614A6C49252BCF	733765A1599E02C53826A4AE984426862AA714D8B67F889607153888D40BBD75
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dgKDUvhlvCiVpa.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dnshost.exe.log	ASCII text, with CRLF line terminators	DC4D693606B39967E81E3ED651DE35B3	F4E6ECCB66D4D9B66E726C6BBC089A704D25A707	54E5F36B1A3F58D73B9AC2BCCFC976FE015A3772D584204FE4B2C47F77A61299
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fLNzmBM9hR.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	08C4BB62AB814866FFEF46F746CB9140	A24D7CCEC57571B1ADD96212CC8EB391982964E9	BBF508C20A76CD57ADC1E12C9239C6A82F72BC034F3B01AF7F8C3FED34FE0A6B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bxf515li.ghq.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hz5jt5ps.pz5.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oiyaziqw.sfh.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qgufgmvk.ob1.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\tmp7751.tmp	XML 1.0 document, ASCII text	43661420A9E8C8A3450703867941B585	D272D278848EC8D31F7BAE78428268F3EC223D9C	B2B73C7B3CF1319EF0EF74D5627725B5D3AFAF1AD09AC8C667DEE9454D152D14
C:\Users\user\AppData\Local\Temp\tmp802A.tmp	XML 1.0 document, ASCII text	43661420A9E8C8A3450703867941B585	D272D278848EC8D31F7BAE78428268F3EC223D9C	B2B73C7B3CF1319EF0EF74D5627725B5D3AFAF1AD09AC8C667DEE9454D152D14
C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\catalog.dat	data	9E7D0351E4DF94A9B0BADCEB6A9DB963	76C6A69B1C31CEA2014D1FD1E222A3DD1E433005	AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat	ISO-8859 text, with no line terminators	82EF622C4F77C9918DFD4E79A5B82611	EF864B01B934E1D7D10D5E186346315CA58CED76	21C0096509897660A12ABC21DD3AF09D4F86B127A5AF581003EF586469EDB5C5
C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\storage.dat	data	2E52F446105FBF828E63CF808B721F9C	5330E54F238F46DC04C1AC62B051DB4FCD7416FB	2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	14239732DBDDFE922C297FDEAC56A062	3F4F6454C4A2C1C5D1E10D5F841CE14EEF00A785	1805439355F48464312B4F9C0E16301C5F211C204E197C2000E7342C8DB95C00
C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	EEE0F2BC29539EE63523989B8E12066E	B035AC997F6FF907561C6CB74F28BBE0D11DC293	4655BFC11EFBC95EC36DD9D33722994D50B6E6BE02DC16D0486BC85E710579F3
\Device\ConDrv	ASCII text, with CRLF line terminators	932782CF70ED00D22C0B08B5027B4E31	78F460A2155D9E819B8452C281285D7E0A7AC14F	F2C2477FB3FD0A30F3D3D8637EF9C774B43E940043635DF90CDD804799A2ECE7