Edit tour

Windows Analysis Report
fLNzmBM9hR.exe

Overview

General Information

Sample name:	fLNzmBM9hR.exe renamed because original name is a hash value
Original sample name:	14239732dbddfe922c297fdeac56a062.exe
Analysis ID:	1446518
MD5:	14239732dbddfe922c297fdeac56a062
SHA1:	3f4f6454c4a2c1c5d1e10d5f841ce14eef00a785
SHA256:	1805439355f48464312b4f9c0e16301c5f211c204e197c2000e7342c8db95c00
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

fLNzmBM9hR.exe (PID: 6540 cmdline: "C:\Users\user\Desktop\fLNzmBM9hR.exe" MD5: 14239732DBDDFE922C297FDEAC56A062)

powershell.exe (PID: 7088 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 5480 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7100 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dgKDUvhlvCiVpa" /XML "C:\Users\user\AppData\Local\Temp\tmp7751.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 7012 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

WerFault.exe (PID: 7120 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7012 -s 1416 MD5: C31336C1EFC2CCB44B4326EA793040F2)

dgKDUvhlvCiVpa.exe (PID: 6960 cmdline: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe MD5: 14239732DBDDFE922C297FDEAC56A062)

schtasks.exe (PID: 7248 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dgKDUvhlvCiVpa" /XML "C:\Users\user\AppData\Local\Temp\tmp802A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 7292 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

dnshost.exe (PID: 7492 cmdline: "C:\Program Files (x86)\DNS Host\dnshost.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

conhost.exe (PID: 7532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nanocore RAT, NanoCore	Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.	APT33 The Gorgon Group	https://assets.virustotal.com/reports/2021trends.pdf https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack	https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "1fa46b72-10f9-4da3-bc15-84dde165", "Group": "NewBin", "Domain1": "newsddawork.3utilities.com", "Domain2": "maxlogs.webhop.me", "Port": 1620, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.3092185822.0000000005F20000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
00000006.00000002.3092185822.0000000005F20000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000006.00000002.3092185822.0000000005F20000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
00000006.00000002.3096285589.0000000007760000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b0b:$a1: NanoCore.ClientPluginHost 0x5b87:$a2: NanoCore.ClientPlugin 0x6710:$b7: LogClientException 0x5b25:$b9: IClientLoggingHost
00000006.00000002.3096285589.0000000007760000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
00000006.00000002.3096285589.0000000007760000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
00000006.00000002.3087398590.0000000004543000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x51e8:$a1: NanoCore.ClientPluginHost 0x1462a:$a1: NanoCore.ClientPluginHost 0x3bc33:$a1: NanoCore.ClientPluginHost 0x51bf:$a2: NanoCore.ClientPlugin 0x14605:$a2: NanoCore.ClientPlugin 0x3bc0a:$a2: NanoCore.ClientPlugin 0x1461b:$b4: IClientAppHost 0xa213:$b7: LogClientException 0x18b0a:$b7: LogClientException 0x40c5e:$b7: LogClientException 0x51d5:$b9: IClientLoggingHost 0x14654:$b9: IClientLoggingHost 0x3bc20:$b9: IClientLoggingHost
00000006.00000002.3095814524.0000000007710000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x8558:$b1: get_BuilderSettings 0x4bac:$b4: IClientAppHost
00000006.00000002.3095814524.0000000007710000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
00000006.00000002.3095814524.0000000007710000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x4be5:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin
00000006.00000002.3095890255.0000000007720000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x8bbf:$b9: IClientLoggingHost
00000006.00000002.3095890255.0000000007720000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
00000006.00000002.3095890255.0000000007720000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
00000006.00000002.3097033300.00000000079F0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x5854:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost
00000006.00000002.3097033300.00000000079F0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
00000006.00000002.3097033300.00000000079F0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xff8d:$a1: NanoCore.ClientPluginHost 0xff4d:$a2: NanoCore.ClientPlugin 0x11ea6:$b1: get_BuilderSettings 0xfda9:$b2: ClientLoaderForm.resources 0x115c6:$b3: PluginCommand 0xff7e:$b4: IClientAppHost 0x1a3fe:$b5: GetBlockHash 0x124fe:$b6: AddHostEntry 0x161f1:$b7: LogClientException 0x1246b:$b8: PipeExists 0xffb7:$b9: IClientLoggingHost
0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfcf5:$v1: NanoCore Client 0xfd05:$v1: NanoCore Client 0x115c6:$v2: PluginCommand 0x115ae:$v3: CommandType
00000006.00000002.3097298200.0000000007A30000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5fee:$a1: NanoCore.ClientPluginHost 0x5fc9:$a2: NanoCore.ClientPlugin 0x5fdf:$b4: IClientAppHost 0xa4ce:$b7: LogClientException 0x6018:$b9: IClientLoggingHost
00000006.00000002.3097298200.0000000007A30000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
00000006.00000002.3097298200.0000000007A30000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
00000006.00000002.3096864447.00000000077E0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x5b86:$b9: IClientLoggingHost
00000006.00000002.3096864447.00000000077E0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
00000006.00000002.3096864447.00000000077E0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
00000006.00000002.3096361141.0000000007770000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0x13c2:$b9: IClientLoggingHost
00000006.00000002.3096361141.0000000007770000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
00000006.00000002.3096361141.0000000007770000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
00000006.00000002.3097114258.0000000007A00000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
00000006.00000002.3097114258.0000000007A00000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
00000006.00000002.3097114258.0000000007A00000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
00000006.00000002.3096223687.0000000007750000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0x16fd:$b9: IClientLoggingHost
00000006.00000002.3096223687.0000000007750000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
00000006.00000002.3096223687.0000000007750000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10c95:$a1: NanoCore.ClientPluginHost 0x436b5:$a1: NanoCore.ClientPluginHost 0x75ed5:$a1: NanoCore.ClientPluginHost 0x10c55:$a2: NanoCore.ClientPlugin 0x43675:$a2: NanoCore.ClientPlugin 0x75e95:$a2: NanoCore.ClientPlugin 0x12bae:$b1: get_BuilderSettings 0x455ce:$b1: get_BuilderSettings 0x77dee:$b1: get_BuilderSettings 0x10ab1:$b2: ClientLoaderForm.resources 0x434d1:$b2: ClientLoaderForm.resources 0x75cf1:$b2: ClientLoaderForm.resources 0x122ce:$b3: PluginCommand 0x44cee:$b3: PluginCommand 0x7750e:$b3: PluginCommand 0x10c86:$b4: IClientAppHost 0x436a6:$b4: IClientAppHost 0x75ec6:$b4: IClientAppHost 0x1b106:$b5: GetBlockHash 0x4db26:$b5: GetBlockHash 0x80346:$b5: GetBlockHash
00000006.00000002.3096480105.0000000007790000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x59eb:$a1: NanoCore.ClientPluginHost 0x5ad5:$a2: NanoCore.ClientPlugin 0x732e:$b7: LogClientException 0x6941:$b8: PipeExists 0x5a05:$b9: IClientLoggingHost
00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x109fd:$a: NanoCore 0x10a0d:$a: NanoCore 0x10c41:$a: NanoCore 0x10c55:$a: NanoCore 0x10c95:$a: NanoCore 0x4341d:$a: NanoCore 0x4342d:$a: NanoCore 0x43661:$a: NanoCore 0x43675:$a: NanoCore 0x436b5:$a: NanoCore 0x75c3d:$a: NanoCore 0x75c4d:$a: NanoCore 0x75e81:$a: NanoCore 0x75e95:$a: NanoCore 0x75ed5:$a: NanoCore 0x10a5c:$b: ClientPlugin 0x10c5e:$b: ClientPlugin 0x10c9e:$b: ClientPlugin 0x4347c:$b: ClientPlugin 0x4367e:$b: ClientPlugin 0x436be:$b: ClientPlugin
00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10c95:$x1: NanoCore.ClientPluginHost 0x436b5:$x1: NanoCore.ClientPluginHost 0x75ed5:$x1: NanoCore.ClientPluginHost 0x10cd2:$x2: IClientNetworkHost 0x436f2:$x2: IClientNetworkHost 0x75f12:$x2: IClientNetworkHost 0x14805:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x47225:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x79a45:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x109fd:$v1: NanoCore Client 0x10a0d:$v1: NanoCore Client 0x4341d:$v1: NanoCore Client 0x4342d:$v1: NanoCore Client 0x75c3d:$v1: NanoCore Client 0x75c4d:$v1: NanoCore Client 0x122ce:$v2: PluginCommand 0x44cee:$v2: PluginCommand 0x7750e:$v2: PluginCommand 0x122b6:$v3: CommandType 0x44cd6:$v3: CommandType 0x774f6:$v3: CommandType
00000006.00000002.3096480105.0000000007790000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
00000006.00000002.3096480105.0000000007790000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
00000006.00000002.3096562078.00000000077A0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0x47e1:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost
00000006.00000002.3096562078.00000000077A0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
00000006.00000002.3096562078.00000000077A0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
00000006.00000002.3087398590.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x558cf:$a1: NanoCore.ClientPluginHost 0x5fcfa:$a1: NanoCore.ClientPluginHost 0x6acd7:$a1: NanoCore.ClientPluginHost 0x76a79:$a1: NanoCore.ClientPluginHost 0x9b97d:$a1: NanoCore.ClientPluginHost 0xaadbd:$a1: NanoCore.ClientPluginHost 0x559b9:$a2: NanoCore.ClientPlugin 0x5fd9a:$a2: NanoCore.ClientPlugin 0x6acae:$a2: NanoCore.ClientPlugin 0x76a50:$a2: NanoCore.ClientPlugin 0x9b954:$a2: NanoCore.ClientPlugin 0xaad98:$a2: NanoCore.ClientPlugin 0xaadae:$b4: IClientAppHost 0x57212:$b7: LogClientException 0x60af0:$b7: LogClientException 0x78dc2:$b7: LogClientException 0xa09a8:$b7: LogClientException 0xaf29d:$b7: LogClientException 0x56825:$b8: PipeExists 0x558e9:$b9: IClientLoggingHost 0x5fd14:$b9: IClientLoggingHost
00000006.00000002.3087398590.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x558cf:$a: NanoCore 0x559b9:$a: NanoCore 0x56830:$a: NanoCore 0x5f9da:$a: NanoCore 0x5fa3b:$a: NanoCore 0x5fa7e:$a: NanoCore 0x5fabe:$a: NanoCore 0x5fcfa:$a: NanoCore 0x5fd9a:$a: NanoCore 0x60572:$a: NanoCore 0x60b65:$a: NanoCore 0x60cb6:$a: NanoCore 0x61b10:$a: NanoCore 0x61d77:$a: NanoCore 0x61d8c:$a: NanoCore 0x61dab:$a: NanoCore 0x6acae:$a: NanoCore 0x6acd7:$a: NanoCore 0x76a50:$a: NanoCore 0x76a79:$a: NanoCore 0x9b93c:$a: NanoCore
00000006.00000002.3081321042.0000000003241000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.3081321042.0000000003241000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2d385:$a1: NanoCore.ClientPluginHost 0x2d348:$a2: NanoCore.ClientPlugin 0x2d71c:$b1: get_BuilderSettings 0x2d3d3:$b4: IClientAppHost 0x2d78d:$b6: AddHostEntry 0x2d7fc:$b7: LogClientException 0x2d771:$b8: PipeExists 0x2d3c0:$b9: IClientLoggingHost
00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10da5:$a1: NanoCore.ClientPluginHost 0x437c5:$a1: NanoCore.ClientPluginHost 0x75fe5:$a1: NanoCore.ClientPluginHost 0x10d65:$a2: NanoCore.ClientPlugin 0x43785:$a2: NanoCore.ClientPlugin 0x75fa5:$a2: NanoCore.ClientPlugin 0x12cbe:$b1: get_BuilderSettings 0x456de:$b1: get_BuilderSettings 0x77efe:$b1: get_BuilderSettings 0x10bc1:$b2: ClientLoaderForm.resources 0x435e1:$b2: ClientLoaderForm.resources 0x75e01:$b2: ClientLoaderForm.resources 0x123de:$b3: PluginCommand 0x44dfe:$b3: PluginCommand 0x7761e:$b3: PluginCommand 0x10d96:$b4: IClientAppHost 0x437b6:$b4: IClientAppHost 0x75fd6:$b4: IClientAppHost 0x1b216:$b5: GetBlockHash 0x4dc36:$b5: GetBlockHash 0x80456:$b5: GetBlockHash
00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10b0d:$a: NanoCore 0x10b1d:$a: NanoCore 0x10d51:$a: NanoCore 0x10d65:$a: NanoCore 0x10da5:$a: NanoCore 0x4352d:$a: NanoCore 0x4353d:$a: NanoCore 0x43771:$a: NanoCore 0x43785:$a: NanoCore 0x437c5:$a: NanoCore 0x75d4d:$a: NanoCore 0x75d5d:$a: NanoCore 0x75f91:$a: NanoCore 0x75fa5:$a: NanoCore 0x75fe5:$a: NanoCore 0x10b6c:$b: ClientPlugin 0x10d6e:$b: ClientPlugin 0x10dae:$b: ClientPlugin 0x4358c:$b: ClientPlugin 0x4378e:$b: ClientPlugin 0x437ce:$b: ClientPlugin
00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10da5:$x1: NanoCore.ClientPluginHost 0x437c5:$x1: NanoCore.ClientPluginHost 0x75fe5:$x1: NanoCore.ClientPluginHost 0x10de2:$x2: IClientNetworkHost 0x43802:$x2: IClientNetworkHost 0x76022:$x2: IClientNetworkHost 0x14915:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x47335:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x79b55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x10b0d:$v1: NanoCore Client 0x10b1d:$v1: NanoCore Client 0x4352d:$v1: NanoCore Client 0x4353d:$v1: NanoCore Client 0x75d4d:$v1: NanoCore Client 0x75d5d:$v1: NanoCore Client 0x123de:$v2: PluginCommand 0x44dfe:$v2: PluginCommand 0x7761e:$v2: PluginCommand 0x123c6:$v3: CommandType 0x44de6:$v3: CommandType 0x77606:$v3: CommandType
00000006.00000002.3096414766.0000000007780000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2205:$a1: NanoCore.ClientPluginHost 0x227f:$a2: NanoCore.ClientPlugin 0x29a0:$b7: LogClientException 0x221f:$b9: IClientLoggingHost
00000006.00000002.3096414766.0000000007780000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
00000006.00000002.3096414766.0000000007780000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
0000000B.00000002.1736727761.0000000003F09000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.1736727761.0000000003F09000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x42ffb:$a1: NanoCore.ClientPluginHost 0x56769:$a1: NanoCore.ClientPluginHost 0x6f23d:$a1: NanoCore.ClientPluginHost 0x42fbe:$a2: NanoCore.ClientPlugin 0x56734:$a2: NanoCore.ClientPlugin 0x6f208:$a2: NanoCore.ClientPlugin 0x43392:$b1: get_BuilderSettings 0x5b6af:$b1: get_BuilderSettings 0x74183:$b1: get_BuilderSettings 0x43049:$b4: IClientAppHost 0x43403:$b6: AddHostEntry 0x43472:$b7: LogClientException 0x5b61e:$b7: LogClientException 0x740f2:$b7: LogClientException 0x433e7:$b8: PipeExists 0x43036:$b9: IClientLoggingHost 0x56783:$b9: IClientLoggingHost 0x6f257:$b9: IClientLoggingHost
0000000B.00000002.1736727761.0000000003F09000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42f65:$a: NanoCore 0x42fbe:$a: NanoCore 0x42ffb:$a: NanoCore 0x43074:$a: NanoCore 0x5671f:$a: NanoCore 0x56734:$a: NanoCore 0x56769:$a: NanoCore 0x6f1f3:$a: NanoCore 0x6f208:$a: NanoCore 0x6f23d:$a: NanoCore 0x42fc7:$b: ClientPlugin 0x43004:$b: ClientPlugin 0x43902:$b: ClientPlugin 0x4390f:$b: ClientPlugin 0x564db:$b: ClientPlugin 0x564f6:$b: ClientPlugin 0x56526:$b: ClientPlugin 0x5673d:$b: ClientPlugin 0x56772:$b: ClientPlugin 0x6efaf:$b: ClientPlugin 0x6efca:$b: ClientPlugin
00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1d83f:$a1: NanoCore.ClientPluginHost 0x2da35:$a1: NanoCore.ClientPluginHost 0x3ab7f:$a1: NanoCore.ClientPluginHost 0x449b3:$a1: NanoCore.ClientPluginHost 0x4ba84:$a1: NanoCore.ClientPluginHost 0x51d11:$a1: NanoCore.ClientPluginHost 0x5c323:$a1: NanoCore.ClientPluginHost 0x66753:$a1: NanoCore.ClientPluginHost 0x71739:$a1: NanoCore.ClientPluginHost 0x7d4e3:$a1: NanoCore.ClientPluginHost 0x8922e:$a1: NanoCore.ClientPluginHost 0x1d81a:$a2: NanoCore.ClientPlugin 0x2da0f:$a2: NanoCore.ClientPlugin 0x3abfb:$a2: NanoCore.ClientPlugin 0x44a2f:$a2: NanoCore.ClientPlugin 0x4bace:$a2: NanoCore.ClientPlugin 0x51d8b:$a2: NanoCore.ClientPlugin 0x5c40d:$a2: NanoCore.ClientPlugin 0x667f3:$a2: NanoCore.ClientPlugin 0x71710:$a2: NanoCore.ClientPlugin 0x7d4ba:$a2: NanoCore.ClientPlugin
00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d81a:$a: NanoCore 0x1d83f:$a: NanoCore 0x1d898:$a: NanoCore 0x2da0f:$a: NanoCore 0x2da35:$a: NanoCore 0x2da91:$a: NanoCore 0x3a8c7:$a: NanoCore 0x3a920:$a: NanoCore 0x3a953:$a: NanoCore 0x3ab7f:$a: NanoCore 0x3abfb:$a: NanoCore 0x3b214:$a: NanoCore 0x3b35d:$a: NanoCore 0x3b831:$a: NanoCore 0x3bb18:$a: NanoCore 0x3bb2f:$a: NanoCore 0x449b3:$a: NanoCore 0x44a2f:$a: NanoCore 0x47312:$a: NanoCore 0x4ba84:$a: NanoCore 0x4bace:$a: NanoCore
0000000B.00000002.1736360700.0000000002F01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.1736360700.0000000002F01000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6d999:$a1: NanoCore.ClientPluginHost 0x6d95c:$a2: NanoCore.ClientPlugin 0x5f243:$b1: get_BuilderSettings 0x6dd30:$b1: get_BuilderSettings 0x6d9e7:$b4: IClientAppHost 0x6dda1:$b6: AddHostEntry 0x5f1b2:$b7: LogClientException 0x6de10:$b7: LogClientException 0x6dd85:$b8: PipeExists 0x6d9d4:$b9: IClientLoggingHost
0000000B.00000002.1736360700.0000000002F01000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6d903:$a: NanoCore 0x6d95c:$a: NanoCore 0x6d999:$a: NanoCore 0x6da12:$a: NanoCore 0x6d965:$b: ClientPlugin 0x6d9a2:$b: ClientPlugin 0x6e2a0:$b: ClientPlugin 0x6e2ad:$b: ClientPlugin 0x63538:$e: KeepAlive 0x6dded:$g: LogClientMessage 0x6dd6d:$i: get_Connected 0x5dd09:$j: #=q 0x5dd39:$j: #=q 0x5dd75:$j: #=q 0x5dd9d:$j: #=q 0x5ddcd:$j: #=q 0x5ddfd:$j: #=q 0x5de2d:$j: #=q 0x5de5d:$j: #=q 0x5de79:$j: #=q 0x5dea9:$j: #=q
Process Memory Space: fLNzmBM9hR.exe PID: 6540	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: fLNzmBM9hR.exe PID: 6540	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: fLNzmBM9hR.exe PID: 6540	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x292bd:$a1: NanoCore.ClientPluginHost 0x2927d:$a2: NanoCore.ClientPlugin 0x2b194:$b1: get_BuilderSettings 0x2903e:$b2: ClientLoaderForm.resources 0x2a8b4:$b3: PluginCommand 0x292ae:$b4: IClientAppHost 0x336e7:$b5: GetBlockHash 0x2b7ec:$b6: AddHostEntry 0x3690b:$b6: AddHostEntry 0x428d5:$b6: AddHostEntry 0x4dc73:$b6: AddHostEntry 0x2f4df:$b7: LogClientException 0x3a44c:$b7: LogClientException 0x46416:$b7: LogClientException 0x517b4:$b7: LogClientException 0x2b759:$b8: PipeExists 0x3687f:$b8: PipeExists 0x42849:$b8: PipeExists 0x4dbe7:$b8: PipeExists 0x292e7:$b9: IClientLoggingHost
Process Memory Space: fLNzmBM9hR.exe PID: 6540	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x28f8a:$a: NanoCore 0x28f9a:$a: NanoCore 0x29059:$a: NanoCore 0x29068:$a: NanoCore 0x29269:$a: NanoCore 0x2927d:$a: NanoCore 0x292bd:$a: NanoCore 0x344db:$a: NanoCore 0x344ed:$a: NanoCore 0x34529:$a: NanoCore 0x404a5:$a: NanoCore 0x404b7:$a: NanoCore 0x404f3:$a: NanoCore 0x4b843:$a: NanoCore 0x4b855:$a: NanoCore 0x4b891:$a: NanoCore 0x28fe9:$b: ClientPlugin 0x290b2:$b: ClientPlugin 0x29286:$b: ClientPlugin 0x292c6:$b: ClientPlugin 0x344f6:$b: ClientPlugin
Process Memory Space: fLNzmBM9hR.exe PID: 6540	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x292bd:$x1: NanoCore.ClientPluginHost 0x292fa:$x2: IClientNetworkHost 0x2cdeb:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x37e71:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x43e3b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4f1d9:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: fLNzmBM9hR.exe PID: 6540	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x28f8a:$v1: NanoCore Client 0x28f9a:$v1: NanoCore Client 0x29059:$v1: NanoCore Client 0x29068:$v1: NanoCore Client 0x2a8b4:$v2: PluginCommand 0x35a4d:$v2: PluginCommand 0x41a17:$v2: PluginCommand 0x4cdb5:$v2: PluginCommand 0x2a89c:$v3: CommandType 0x35a37:$v3: CommandType 0x41a01:$v3: CommandType 0x4cd9f:$v3: CommandType
Process Memory Space: MSBuild.exe PID: 7012	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: MSBuild.exe PID: 7012	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MSBuild.exe PID: 7012	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1276:$a1: NanoCore.ClientPluginHost 0xca6d:$a1: NanoCore.ClientPluginHost 0x41076:$a1: NanoCore.ClientPluginHost 0x536c5:$a1: NanoCore.ClientPluginHost 0x57b3e:$a1: NanoCore.ClientPluginHost 0x67b4c:$a1: NanoCore.ClientPluginHost 0x754a5:$a1: NanoCore.ClientPluginHost 0xb29dc:$a1: NanoCore.ClientPluginHost 0xc8065:$a1: NanoCore.ClientPluginHost 0xd46ad:$a1: NanoCore.ClientPluginHost 0xe15cd:$a1: NanoCore.ClientPluginHost 0x11559a:$a1: NanoCore.ClientPluginHost 0x11f0ec:$a1: NanoCore.ClientPluginHost 0x13969a:$a1: NanoCore.ClientPluginHost 0x13c4d7:$a1: NanoCore.ClientPluginHost 0x14174f:$a1: NanoCore.ClientPluginHost 0x148fca:$a1: NanoCore.ClientPluginHost 0x14e6e7:$a1: NanoCore.ClientPluginHost 0x1239:$a2: NanoCore.ClientPlugin 0xca44:$a2: NanoCore.ClientPlugin 0x41039:$a2: NanoCore.ClientPlugin
Process Memory Space: MSBuild.exe PID: 7012	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x11e0:$a: NanoCore 0x1239:$a: NanoCore 0x1276:$a: NanoCore 0x12ef:$a: NanoCore 0x1ba8:$a: NanoCore 0x1bfb:$a: NanoCore 0x1c34:$a: NanoCore 0x1ca7:$a: NanoCore 0x3289:$a: NanoCore 0x3b4f:$a: NanoCore 0x3e64:$a: NanoCore 0x3feb:$a: NanoCore 0x4004:$a: NanoCore 0xa0ec:$a: NanoCore 0xa246:$a: NanoCore 0xca2c:$a: NanoCore 0xca44:$a: NanoCore 0xca6d:$a: NanoCore 0x12154:$a: NanoCore 0x1216a:$a: NanoCore 0x12191:$a: NanoCore
Process Memory Space: MSBuild.exe PID: 7012	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x3391b:$v1: NanoCore Client 0x36b3f:$v1: NanoCore Client 0x36b9c:$v1: NanoCore Client 0x36c24:$v1: NanoCore Client 0xaf602:$v1: NanoCore Client 0xb19f0:$v1: NanoCore Client 0xb1a04:$v1: NanoCore Client 0x8ba7a:$v2: PluginCommand 0x9021c:$v2: PluginCommand 0x139f0c:$v2: PluginCommand 0x149bdd:$v2: PluginCommand 0xd80c:$v3: CommandType 0x12ead:$v3: CommandType 0x1c85a:$v3: CommandType 0x2df64:$v3: CommandType 0x534c8:$v3: CommandType 0x54b3b:$v3: CommandType 0x58a70:$v3: CommandType 0x602a0:$v3: CommandType 0x686a7:$v3: CommandType 0x6c15d:$v3: CommandType
Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4a96e:$a1: NanoCore.ClientPluginHost 0x4a92e:$a2: NanoCore.ClientPlugin 0x4c845:$b1: get_BuilderSettings 0x4a6ef:$b2: ClientLoaderForm.resources 0x4bf65:$b3: PluginCommand 0x4a95f:$b4: IClientAppHost 0x54d98:$b5: GetBlockHash 0x4ce9d:$b6: AddHostEntry 0x57fbc:$b6: AddHostEntry 0x63f86:$b6: AddHostEntry 0x6f324:$b6: AddHostEntry 0x50b90:$b7: LogClientException 0x5bafd:$b7: LogClientException 0x67ac7:$b7: LogClientException 0x72e65:$b7: LogClientException 0x4ce0a:$b8: PipeExists 0x57f30:$b8: PipeExists 0x63efa:$b8: PipeExists 0x6f298:$b8: PipeExists 0x4a998:$b9: IClientLoggingHost
Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4a63b:$a: NanoCore 0x4a64b:$a: NanoCore 0x4a70a:$a: NanoCore 0x4a719:$a: NanoCore 0x4a91a:$a: NanoCore 0x4a92e:$a: NanoCore 0x4a96e:$a: NanoCore 0x55b8c:$a: NanoCore 0x55b9e:$a: NanoCore 0x55bda:$a: NanoCore 0x61b56:$a: NanoCore 0x61b68:$a: NanoCore 0x61ba4:$a: NanoCore 0x6cef4:$a: NanoCore 0x6cf06:$a: NanoCore 0x6cf42:$a: NanoCore 0x4a69a:$b: ClientPlugin 0x4a763:$b: ClientPlugin 0x4a937:$b: ClientPlugin 0x4a977:$b: ClientPlugin 0x55ba7:$b: ClientPlugin
Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4a96e:$x1: NanoCore.ClientPluginHost 0x4a9ab:$x2: IClientNetworkHost 0x4e49c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x59522:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x654ec:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7088a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x4a63b:$v1: NanoCore Client 0x4a64b:$v1: NanoCore Client 0x4a70a:$v1: NanoCore Client 0x4a719:$v1: NanoCore Client 0x4bf65:$v2: PluginCommand 0x570fe:$v2: PluginCommand 0x630c8:$v2: PluginCommand 0x6e466:$v2: PluginCommand 0x4bf4d:$v3: CommandType 0x570e8:$v3: CommandType 0x630b2:$v3: CommandType 0x6e450:$v3: CommandType
Process Memory Space: MSBuild.exe PID: 7292	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: MSBuild.exe PID: 7292	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x50c7:$a1: NanoCore.ClientPluginHost 0x23cb0:$a1: NanoCore.ClientPluginHost 0x506f6:$a1: NanoCore.ClientPluginHost 0x5087:$a2: NanoCore.ClientPlugin 0x23c73:$a2: NanoCore.ClientPlugin 0x506b9:$a2: NanoCore.ClientPlugin 0x6f9e:$b1: get_BuilderSettings 0x2402a:$b1: get_BuilderSettings 0x498f1:$b1: get_BuilderSettings 0x4e48:$b2: ClientLoaderForm.resources 0x66be:$b3: PluginCommand 0x50b8:$b4: IClientAppHost 0x23cfe:$b4: IClientAppHost 0x50744:$b4: IClientAppHost 0xf4f1:$b5: GetBlockHash 0x75f6:$b6: AddHostEntry 0x12715:$b6: AddHostEntry 0x2409b:$b6: AddHostEntry 0x50a57:$b6: AddHostEntry 0xb2e9:$b7: LogClientException 0x16256:$b7: LogClientException
Process Memory Space: MSBuild.exe PID: 7292	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4d94:$a: NanoCore 0x4da4:$a: NanoCore 0x4e63:$a: NanoCore 0x4e72:$a: NanoCore 0x5073:$a: NanoCore 0x5087:$a: NanoCore 0x50c7:$a: NanoCore 0x102e5:$a: NanoCore 0x102f7:$a: NanoCore 0x10333:$a: NanoCore 0x1b940:$a: NanoCore 0x1f4c4:$a: NanoCore 0x23c1a:$a: NanoCore 0x23c73:$a: NanoCore 0x23cb0:$a: NanoCore 0x23d29:$a: NanoCore 0x245e2:$a: NanoCore 0x24635:$a: NanoCore 0x2466e:$a: NanoCore 0x246e1:$a: NanoCore 0x2bcb3:$a: NanoCore
Process Memory Space: MSBuild.exe PID: 7292	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x50c7:$x1: NanoCore.ClientPluginHost 0x23cb0:$x1: NanoCore.ClientPluginHost 0x506f6:$x1: NanoCore.ClientPluginHost 0x5104:$x2: IClientNetworkHost 0x23cca:$x2: IClientNetworkHost 0x50710:$x2: IClientNetworkHost 0x8bf5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x13c7b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: MSBuild.exe PID: 7292	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0x4d94:$v1: NanoCore Client 0x4da4:$v1: NanoCore Client 0x4e63:$v1: NanoCore Client 0x4e72:$v1: NanoCore Client 0x1b940:$v1: NanoCore Client 0x1f4c4:$v1: NanoCore Client 0x37a4b:$v1: NanoCore Client 0x37a5f:$v1: NanoCore Client 0x38e6b:$v1: NanoCore Client 0x38ec8:$v1: NanoCore Client 0x38f53:$v1: NanoCore Client 0x51be2:$v1: NanoCore Client 0x51d2d:$v1: NanoCore Client 0x51d43:$v1: NanoCore Client 0x66be:$v2: PluginCommand 0x11857:$v2: PluginCommand 0x66a6:$v3: CommandType 0x11841:$v3: CommandType 0x27afe:$v3: CommandType 0x2cb86:$v3: CommandType 0x323aa:$v3: CommandType
Click to see the 88 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.MSBuild.exe.7720000.16.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
6.2.MSBuild.exe.7720000.16.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
6.2.MSBuild.exe.7720000.16.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
6.2.MSBuild.exe.464513e.10.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d99:$a1: NanoCore.ClientPluginHost 0xcd3b:$a1: NanoCore.ClientPluginHost 0x3d70:$a2: NanoCore.ClientPlugin 0xcd12:$a2: NanoCore.ClientPlugin 0x3d86:$b9: IClientLoggingHost 0xcd28:$b9: IClientLoggingHost
6.2.MSBuild.exe.7710000.15.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
6.2.MSBuild.exe.464513e.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0xcd3b:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost 0xcd55:$x2: IClientNetworkHost
6.2.MSBuild.exe.464513e.10.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3d70:$x2: NanoCore.ClientPlugin 0xcd12:$x2: NanoCore.ClientPlugin 0x3d99:$x3: NanoCore.ClientPluginHost 0xcd3b:$x3: NanoCore.ClientPluginHost 0x3d61:$i3: IClientNetwork 0xcd03:$i3: IClientNetwork 0x3d86:$i6: IClientLoggingHost 0xcd28:$i6: IClientLoggingHost 0x3db3:$i7: IClientNetworkHost 0xcd55:$i7: IClientNetworkHost 0x3bd4:$s1: ClientPlugin 0x3d79:$s1: ClientPlugin 0xcb7e:$s1: ClientPlugin 0xcd1b:$s1: ClientPlugin 0x4084:$s2: EndPoint 0x408d:$s3: IPAddress 0x4097:$s4: IPEndPoint
6.2.MSBuild.exe.7710000.15.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
6.2.MSBuild.exe.7710000.15.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
6.2.MSBuild.exe.79f0000.24.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x170b:$a1: NanoCore.ClientPluginHost 0x16e2:$a2: NanoCore.ClientPlugin 0x3a54:$b7: LogClientException 0x16f8:$b9: IClientLoggingHost
6.2.MSBuild.exe.79f0000.24.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
6.2.MSBuild.exe.79f0000.24.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x16e2:$x2: NanoCore.ClientPlugin 0x170b:$x3: NanoCore.ClientPluginHost 0x16d3:$i3: IClientNetwork 0x16f8:$i6: IClientLoggingHost 0x1725:$i7: IClientNetworkHost 0x154e:$s1: ClientPlugin 0x16eb:$s1: ClientPlugin
6.2.MSBuild.exe.7a30000.28.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x41ee:$a1: NanoCore.ClientPluginHost 0x41c9:$a2: NanoCore.ClientPlugin 0x41df:$b4: IClientAppHost 0x86ce:$b7: LogClientException 0x4218:$b9: IClientLoggingHost
6.2.MSBuild.exe.7a30000.28.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
6.2.MSBuild.exe.7a30000.28.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x41c9:$x2: NanoCore.ClientPlugin 0x41ee:$x3: NanoCore.ClientPluginHost 0x41ba:$i3: IClientNetwork 0x41df:$i4: IClientAppHost 0x4208:$i5: IClientDataHost 0x4218:$i6: IClientLoggingHost 0x422b:$i7: IClientNetworkHost 0x423e:$i8: IClientUIHost 0x424c:$i9: IClientNameObjectCollection 0x3f70:$s1: ClientPlugin 0x41d2:$s1: ClientPlugin
6.2.MSBuild.exe.77e0000.23.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d99:$a1: NanoCore.ClientPluginHost 0x3d70:$a2: NanoCore.ClientPlugin 0x3d86:$b9: IClientLoggingHost
6.2.MSBuild.exe.77e0000.23.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
6.2.MSBuild.exe.77e0000.23.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3d70:$x2: NanoCore.ClientPlugin 0x3d99:$x3: NanoCore.ClientPluginHost 0x3d61:$i3: IClientNetwork 0x3d86:$i6: IClientLoggingHost 0x3db3:$i7: IClientNetworkHost 0x3bd4:$s1: ClientPlugin 0x3d79:$s1: ClientPlugin 0x4084:$s2: EndPoint 0x408d:$s3: IPAddress 0x4097:$s4: IPEndPoint
6.2.MSBuild.exe.7a30000.28.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5fee:$a1: NanoCore.ClientPluginHost 0x5fc9:$a2: NanoCore.ClientPlugin 0x5fdf:$b4: IClientAppHost 0xa4ce:$b7: LogClientException 0x6018:$b9: IClientLoggingHost
6.2.MSBuild.exe.7a30000.28.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
6.2.MSBuild.exe.7a30000.28.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
6.2.MSBuild.exe.7780000.20.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2205:$a1: NanoCore.ClientPluginHost 0x227f:$a2: NanoCore.ClientPlugin 0x29a0:$b7: LogClientException 0x221f:$b9: IClientLoggingHost
6.2.MSBuild.exe.7780000.20.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
6.2.MSBuild.exe.7780000.20.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
11.2.MSBuild.exe.2f6db24.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
11.2.MSBuild.exe.2f6db24.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
11.2.MSBuild.exe.2f6db24.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
6.2.MSBuild.exe.79f0000.24.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x5854:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost
6.2.MSBuild.exe.79f0000.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
6.2.MSBuild.exe.79f0000.24.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
6.2.MSBuild.exe.77e0000.23.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x5b86:$b9: IClientLoggingHost
6.2.MSBuild.exe.77e0000.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
6.2.MSBuild.exe.77e0000.23.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
11.2.MSBuild.exe.3f4ffbc.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.MSBuild.exe.3f4ffbc.4.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
11.2.MSBuild.exe.3f4ffbc.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
11.2.MSBuild.exe.3f4ffbc.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
6.2.MSBuild.exe.7a00000.26.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1d3db:$a1: NanoCore.ClientPluginHost 0x1d3b2:$a2: NanoCore.ClientPlugin 0x22406:$b7: LogClientException 0x1d3c8:$b9: IClientLoggingHost
6.2.MSBuild.exe.7a00000.26.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
6.2.MSBuild.exe.7a00000.26.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d3b2:$x2: NanoCore.ClientPlugin 0x1d3db:$x3: NanoCore.ClientPluginHost 0x1d3a3:$i3: IClientNetwork 0x1d3c8:$i6: IClientLoggingHost 0x1d3f5:$i7: IClientNetworkHost 0x1d408:$i8: IClientUIHost 0x1d112:$s1: ClientPlugin 0x1d3bb:$s1: ClientPlugin
6.2.MSBuild.exe.6a90000.13.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.MSBuild.exe.6a90000.13.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
6.2.MSBuild.exe.6a90000.13.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
6.2.MSBuild.exe.6a90000.13.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
6.2.MSBuild.exe.7790000.21.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3deb:$a1: NanoCore.ClientPluginHost 0x3ed5:$a2: NanoCore.ClientPlugin 0x572e:$b7: LogClientException 0x4d41:$b8: PipeExists 0x3e05:$b9: IClientLoggingHost
6.2.MSBuild.exe.7790000.21.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
6.2.MSBuild.exe.7790000.21.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3ed5:$x2: NanoCore.ClientPlugin 0x3deb:$x3: NanoCore.ClientPluginHost 0x3eeb:$i3: IClientNetwork 0x3e24:$i5: IClientDataHost 0x3e05:$i6: IClientLoggingHost 0x3f48:$i7: IClientNetworkHost 0x3e43:$i8: IClientUIHost 0x4d55:$i9: IClientNameObjectCollection 0x38fc:$s1: ClientPlugin 0x3ede:$s1: ClientPlugin 0x4d71:$s6: get_ClientSettings
6.2.MSBuild.exe.7770000.19.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0x13c2:$b9: IClientLoggingHost
6.2.MSBuild.exe.7770000.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
6.2.MSBuild.exe.7770000.19.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
6.2.MSBuild.exe.455fa58.7.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1d3db:$a1: NanoCore.ClientPluginHost 0x1d3b2:$a2: NanoCore.ClientPlugin 0x22406:$b7: LogClientException 0x1d3c8:$b9: IClientLoggingHost
6.2.MSBuild.exe.455fa58.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
6.2.MSBuild.exe.455fa58.7.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d3b2:$x2: NanoCore.ClientPlugin 0x1d3db:$x3: NanoCore.ClientPluginHost 0x1d3a3:$i3: IClientNetwork 0x1d3c8:$i6: IClientLoggingHost 0x1d3f5:$i7: IClientNetworkHost 0x1d408:$i8: IClientUIHost 0x1d112:$s1: ClientPlugin 0x1d3bb:$s1: ClientPlugin
6.2.MSBuild.exe.7a04c9f.27.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1a53c:$a1: NanoCore.ClientPluginHost 0x1a513:$a2: NanoCore.ClientPlugin 0x1f567:$b7: LogClientException 0x1a529:$b9: IClientLoggingHost
6.2.MSBuild.exe.7a04c9f.27.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
6.2.MSBuild.exe.7a04c9f.27.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1a513:$x2: NanoCore.ClientPlugin 0x1a53c:$x3: NanoCore.ClientPluginHost 0x1a504:$i3: IClientNetwork 0x1a529:$i6: IClientLoggingHost 0x1a556:$i7: IClientNetworkHost 0x1a569:$i8: IClientUIHost 0x1a273:$s1: ClientPlugin 0x1a51c:$s1: ClientPlugin
6.2.MSBuild.exe.7710000.15.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x8558:$b1: get_BuilderSettings 0x4bac:$b4: IClientAppHost
6.2.MSBuild.exe.7710000.15.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
6.2.MSBuild.exe.7710000.15.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x4be5:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin
11.2.MSBuild.exe.3f4b186.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.MSBuild.exe.3f4b186.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x145e3:$a1: NanoCore.ClientPluginHost 0x2d0b7:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x145ae:$a2: NanoCore.ClientPlugin 0x2d082:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0x19529:$b1: get_BuilderSettings 0x31ffd:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x19498:$b7: LogClientException 0x31f6c:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost 0x145fd:$b9: IClientLoggingHost 0x2d0d1:$b9: IClientLoggingHost
11.2.MSBuild.exe.3f4b186.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d06d:$a: NanoCore 0x2d082:$a: NanoCore 0x2d0b7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce29:$b: ClientPlugin 0x2ce44:$b: ClientPlugin
11.2.MSBuild.exe.3f4b186.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0b7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0e4:$x2: IClientNetworkHost
11.2.MSBuild.exe.3f4b186.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0x2d082:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0x2d0b7:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x145a2:$i2: IClientData 0x2d076:$i2: IClientData 0xe29:$i3: IClientNetwork 0x145c4:$i3: IClientNetwork 0x2d098:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x145d3:$i5: IClientDataHost 0x2d0a7:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x145fd:$i6: IClientLoggingHost 0x2d0d1:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost
0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xe0f5:$v1: NanoCore Client 0xe105:$v1: NanoCore Client 0xf9c6:$v2: PluginCommand 0xf9ae:$v3: CommandType
0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
6.2.MSBuild.exe.32c5c84.1.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
6.2.MSBuild.exe.32c5c84.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
6.2.MSBuild.exe.32c5c84.1.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
6.2.MSBuild.exe.7760000.18.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3f0b:$a1: NanoCore.ClientPluginHost 0x3f87:$a2: NanoCore.ClientPlugin 0x4b10:$b7: LogClientException 0x3f25:$b9: IClientLoggingHost
6.2.MSBuild.exe.7760000.18.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
6.2.MSBuild.exe.7760000.18.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3f87:$x2: NanoCore.ClientPlugin 0x3f0b:$x3: NanoCore.ClientPluginHost 0x3f9d:$i3: IClientNetwork 0x3f25:$i6: IClientLoggingHost 0x3f44:$i7: IClientNetworkHost 0x3bfb:$s1: ClientPlugin 0x3f90:$s1: ClientPlugin 0x50f4:$s3: IPAddress
6.2.MSBuild.exe.7790000.21.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x59eb:$a1: NanoCore.ClientPluginHost 0x5ad5:$a2: NanoCore.ClientPlugin 0x732e:$b7: LogClientException 0x6941:$b8: PipeExists 0x5a05:$b9: IClientLoggingHost
6.2.MSBuild.exe.7790000.21.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
6.2.MSBuild.exe.7790000.21.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
6.2.MSBuild.exe.463c30f.4.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1deb:$a1: NanoCore.ClientPluginHost 0x1e8b:$a2: NanoCore.ClientPlugin 0x2be1:$b7: LogClientException 0x1e05:$b9: IClientLoggingHost
6.2.MSBuild.exe.463c30f.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
6.2.MSBuild.exe.463c30f.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
6.2.MSBuild.exe.7750000.17.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0x16fd:$b9: IClientLoggingHost
6.2.MSBuild.exe.7750000.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
6.2.MSBuild.exe.7750000.17.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
6.2.MSBuild.exe.6a94629.12.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.MSBuild.exe.6a94629.12.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
6.2.MSBuild.exe.6a94629.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
6.2.MSBuild.exe.6a94629.12.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
6.2.MSBuild.exe.464513e.10.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x1193b:$a1: NanoCore.ClientPluginHost 0x3683f:$a1: NanoCore.ClientPluginHost 0x45c7f:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x11912:$a2: NanoCore.ClientPlugin 0x36816:$a2: NanoCore.ClientPlugin 0x45c5a:$a2: NanoCore.ClientPlugin 0x45c70:$b4: IClientAppHost 0x13c84:$b7: LogClientException 0x3b86a:$b7: LogClientException 0x4a15f:$b7: LogClientException 0x5b86:$b9: IClientLoggingHost 0x11928:$b9: IClientLoggingHost 0x3682c:$b9: IClientLoggingHost 0x45ca9:$b9: IClientLoggingHost
6.2.MSBuild.exe.464513e.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x1193b:$x1: NanoCore.ClientPluginHost 0x3683f:$x1: NanoCore.ClientPluginHost 0x45c7f:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost 0x11955:$x2: IClientNetworkHost 0x36859:$x2: IClientNetworkHost 0x45cbc:$x2: IClientNetworkHost
6.2.MSBuild.exe.464513e.10.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x11912:$x2: NanoCore.ClientPlugin 0x36816:$x2: NanoCore.ClientPlugin 0x45c5a:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x1193b:$x3: NanoCore.ClientPluginHost 0x3683f:$x3: NanoCore.ClientPluginHost 0x45c7f:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x11903:$i3: IClientNetwork 0x36807:$i3: IClientNetwork 0x45c4b:$i3: IClientNetwork 0x45c70:$i4: IClientAppHost 0x45c99:$i5: IClientDataHost 0x5b86:$i6: IClientLoggingHost 0x11928:$i6: IClientLoggingHost 0x3682c:$i6: IClientLoggingHost 0x45ca9:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x11955:$i7: IClientNetworkHost 0x36859:$i7: IClientNetworkHost
11.2.MSBuild.exe.3f4ffbc.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.MSBuild.exe.3f4ffbc.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0x28281:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x2824c:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x2d1c7:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0x2d136:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost 0x2829b:$b9: IClientLoggingHost
11.2.MSBuild.exe.3f4ffbc.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28281:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x282ae:$x2: IClientNetworkHost
11.2.MSBuild.exe.3f4ffbc.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x2824c:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x28281:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x28240:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x28262:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x28271:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x2829b:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x282ae:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x282c1:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x282cf:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x282eb:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x429ad:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x4296d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x448c6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x427c9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x43fe6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x4299e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4ce1e:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x44f1e:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x48c11:$b7: LogClientException 0x1266b:$b8: PipeExists 0x44e8b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42715:$a: NanoCore 0x42725:$a: NanoCore 0x42959:$a: NanoCore 0x4296d:$a: NanoCore 0x429ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42774:$b: ClientPlugin 0x42976:$b: ClientPlugin 0x429b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4289b:$c: ProjectData 0x10a82:$d: DESCrypto 0x432a2:$d: DESCrypto 0x1844e:$e: KeepAlive
7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x429ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x429ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.MSBuild.exe.465356e.8.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x2840f:$a1: NanoCore.ClientPluginHost 0x3784f:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x283e6:$a2: NanoCore.ClientPlugin 0x3782a:$a2: NanoCore.ClientPlugin 0x37840:$b4: IClientAppHost 0x5854:$b7: LogClientException 0x2d43a:$b7: LogClientException 0x3bd2f:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost 0x283fc:$b9: IClientLoggingHost 0x37879:$b9: IClientLoggingHost
7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfef5:$v1: NanoCore Client 0xff05:$v1: NanoCore Client 0x42715:$v1: NanoCore Client 0x42725:$v1: NanoCore Client 0x117c6:$v2: PluginCommand 0x43fe6:$v2: PluginCommand 0x117ae:$v3: CommandType 0x43fce:$v3: CommandType
6.2.MSBuild.exe.465356e.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x2840f:$x1: NanoCore.ClientPluginHost 0x3784f:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost 0x28429:$x2: IClientNetworkHost 0x3788c:$x2: IClientNetworkHost
7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42715:$x1: NanoCore Client 0x42725:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x4296d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x429ad:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42962:$i1: IClientApp 0x10163:$i2: IClientData 0x42983:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x4298f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x4299e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x429c7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x429d7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
6.2.MSBuild.exe.465356e.8.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x283e6:$x2: NanoCore.ClientPlugin 0x3782a:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x2840f:$x3: NanoCore.ClientPluginHost 0x3784f:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x283d7:$i3: IClientNetwork 0x3781b:$i3: IClientNetwork 0x37840:$i4: IClientAppHost 0x37869:$i5: IClientDataHost 0x34f8:$i6: IClientLoggingHost 0x283fc:$i6: IClientLoggingHost 0x37879:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x28429:$i7: IClientNetworkHost 0x3788c:$i7: IClientNetworkHost 0x2843c:$i8: IClientUIHost 0x3789f:$i8: IClientUIHost 0x378ad:$i9: IClientNameObjectCollection 0x334e:$s1: ClientPlugin
6.2.MSBuild.exe.7720000.16.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x8bbf:$b9: IClientLoggingHost
6.2.MSBuild.exe.7720000.16.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
6.2.MSBuild.exe.7720000.16.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
11.2.MSBuild.exe.3f545e5.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.MSBuild.exe.3f545e5.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0x23c58:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x23c23:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x28b9e:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0x28b0d:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost 0x23c72:$b9: IClientLoggingHost
11.2.MSBuild.exe.3f545e5.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c58:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c85:$x2: IClientNetworkHost
11.2.MSBuild.exe.3f545e5.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x23c23:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x23c58:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0x23c17:$i2: IClientData 0xb165:$i3: IClientNetwork 0x23c39:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0x23c48:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0x23c72:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0x23c85:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0x23c98:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0x23ca6:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0x23cc2:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin
6.2.MSBuild.exe.6a90000.13.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.MSBuild.exe.6a90000.13.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
6.2.MSBuild.exe.6a90000.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
6.2.MSBuild.exe.6a90000.13.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xe0f5:$v1: NanoCore Client 0xe105:$v1: NanoCore Client 0xf9c6:$v2: PluginCommand 0xf9ae:$v3: CommandType
7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
6.2.MSBuild.exe.455fa58.7.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
6.2.MSBuild.exe.455fa58.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
6.2.MSBuild.exe.455fa58.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xe0f5:$v1: NanoCore Client 0xe105:$v1: NanoCore Client 0xf9c6:$v2: PluginCommand 0xf9ae:$v3: CommandType
7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
6.2.MSBuild.exe.465356e.8.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x170b:$a1: NanoCore.ClientPluginHost 0x16e2:$a2: NanoCore.ClientPlugin 0x3a54:$b7: LogClientException 0x16f8:$b9: IClientLoggingHost
6.2.MSBuild.exe.465356e.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
6.2.MSBuild.exe.465356e.8.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x16e2:$x2: NanoCore.ClientPlugin 0x170b:$x3: NanoCore.ClientPluginHost 0x16d3:$i3: IClientNetwork 0x16f8:$i6: IClientLoggingHost 0x1725:$i7: IClientNetworkHost 0x154e:$s1: ClientPlugin 0x16eb:$s1: ClientPlugin
6.2.MSBuild.exe.5f20000.11.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
6.2.MSBuild.exe.5f20000.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
6.2.MSBuild.exe.5f20000.11.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
6.2.MSBuild.exe.7780000.20.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x605:$a1: NanoCore.ClientPluginHost 0x67f:$a2: NanoCore.ClientPlugin 0xda0:$b7: LogClientException 0x61f:$b9: IClientLoggingHost
6.2.MSBuild.exe.7780000.20.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
6.2.MSBuild.exe.7780000.20.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x67f:$x2: NanoCore.ClientPlugin 0x605:$x3: NanoCore.ClientPluginHost 0x695:$i3: IClientNetwork 0x61f:$i6: IClientLoggingHost 0x63e:$i7: IClientNetworkHost 0x688:$s1: ClientPlugin
6.2.MSBuild.exe.77a0000.22.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1deb:$a1: NanoCore.ClientPluginHost 0x1e8b:$a2: NanoCore.ClientPlugin 0x2be1:$b7: LogClientException 0x1e05:$b9: IClientLoggingHost
6.2.MSBuild.exe.77a0000.22.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
6.2.MSBuild.exe.77a0000.22.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
6.2.MSBuild.exe.455163c.6.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x41ee:$a1: NanoCore.ClientPluginHost 0x41c9:$a2: NanoCore.ClientPlugin 0x41df:$b4: IClientAppHost 0x86ce:$b7: LogClientException 0x4218:$b9: IClientLoggingHost
6.2.MSBuild.exe.455163c.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
6.2.MSBuild.exe.455163c.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x41c9:$x2: NanoCore.ClientPlugin 0x41ee:$x3: NanoCore.ClientPluginHost 0x41ba:$i3: IClientNetwork 0x41df:$i4: IClientAppHost 0x4208:$i5: IClientDataHost 0x4218:$i6: IClientLoggingHost 0x422b:$i7: IClientNetworkHost 0x423e:$i8: IClientUIHost 0x424c:$i9: IClientNameObjectCollection 0x3f70:$s1: ClientPlugin 0x41d2:$s1: ClientPlugin
6.2.MSBuild.exe.77a0000.22.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0x47e1:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost
6.2.MSBuild.exe.77a0000.22.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
6.2.MSBuild.exe.77a0000.22.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
6.2.MSBuild.exe.7a0e8a4.25.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10937:$a1: NanoCore.ClientPluginHost 0x1090e:$a2: NanoCore.ClientPlugin 0x15962:$b7: LogClientException 0x10924:$b9: IClientLoggingHost
6.2.MSBuild.exe.7a0e8a4.25.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
6.2.MSBuild.exe.7a0e8a4.25.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1090e:$x2: NanoCore.ClientPlugin 0x10937:$x3: NanoCore.ClientPluginHost 0x108ff:$i3: IClientNetwork 0x10924:$i6: IClientLoggingHost 0x10951:$i7: IClientNetworkHost 0x10964:$i8: IClientUIHost 0x1066e:$s1: ClientPlugin 0x10917:$s1: ClientPlugin
0.2.fLNzmBM9hR.exe.3d62528.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.fLNzmBM9hR.exe.3d62528.4.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
0.2.fLNzmBM9hR.exe.3d62528.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.fLNzmBM9hR.exe.3d62528.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.fLNzmBM9hR.exe.3d62528.4.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xe0f5:$v1: NanoCore Client 0xe105:$v1: NanoCore Client 0xf9c6:$v2: PluginCommand 0xf9ae:$v3: CommandType
0.2.fLNzmBM9hR.exe.3d62528.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
6.2.MSBuild.exe.7760000.18.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b0b:$a1: NanoCore.ClientPluginHost 0x5b87:$a2: NanoCore.ClientPlugin 0x6710:$b7: LogClientException 0x5b25:$b9: IClientLoggingHost
6.2.MSBuild.exe.7760000.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
6.2.MSBuild.exe.7760000.18.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
11.2.MSBuild.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.MSBuild.exe.400000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
11.2.MSBuild.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
11.2.MSBuild.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.MSBuild.exe.7a00000.26.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
11.2.MSBuild.exe.400000.0.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfef5:$v1: NanoCore Client 0xff05:$v1: NanoCore Client 0x117c6:$v2: PluginCommand 0x117ae:$v3: CommandType
6.2.MSBuild.exe.7a00000.26.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
11.2.MSBuild.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
6.2.MSBuild.exe.7a00000.26.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
6.2.MSBuild.exe.32d1e90.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
6.2.MSBuild.exe.32d1e90.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
6.2.MSBuild.exe.32d1e90.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42bad:$a1: NanoCore.ClientPluginHost 0x753cd:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42b6d:$a2: NanoCore.ClientPlugin 0x7538d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44ac6:$b1: get_BuilderSettings 0x772e6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x429c9:$b2: ClientLoaderForm.resources 0x751e9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x441e6:$b3: PluginCommand 0x76a06:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42b9e:$b4: IClientAppHost 0x753be:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d01e:$b5: GetBlockHash 0x7f83e:$b5: GetBlockHash
0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0x75135:$a: NanoCore 0x75145:$a: NanoCore 0x75379:$a: NanoCore 0x7538d:$a: NanoCore 0x753cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin
0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x753cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x7540a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x78f3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfef5:$v1: NanoCore Client 0xff05:$v1: NanoCore Client 0x42915:$v1: NanoCore Client 0x42925:$v1: NanoCore Client 0x75135:$v1: NanoCore Client 0x75145:$v1: NanoCore Client 0x117c6:$v2: PluginCommand 0x441e6:$v2: PluginCommand 0x76a06:$v2: PluginCommand 0x117ae:$v3: CommandType 0x441ce:$v3: CommandType 0x769ee:$v3: CommandType
0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42915:$x1: NanoCore Client 0x42925:$x1: NanoCore Client 0x75135:$x1: NanoCore Client 0x75145:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42b6d:$x2: NanoCore.ClientPlugin 0x7538d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42bad:$x3: NanoCore.ClientPluginHost 0x753cd:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42b62:$i1: IClientApp 0x75382:$i1: IClientApp 0x10163:$i2: IClientData 0x42b83:$i2: IClientData 0x753a3:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42b8f:$i3: IClientNetwork 0x753af:$i3: IClientNetwork
7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42bad:$a1: NanoCore.ClientPluginHost 0x753cd:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42b6d:$a2: NanoCore.ClientPlugin 0x7538d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44ac6:$b1: get_BuilderSettings 0x772e6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x429c9:$b2: ClientLoaderForm.resources 0x751e9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x441e6:$b3: PluginCommand 0x76a06:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42b9e:$b4: IClientAppHost 0x753be:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d01e:$b5: GetBlockHash 0x7f83e:$b5: GetBlockHash
7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0x75135:$a: NanoCore 0x75145:$a: NanoCore 0x75379:$a: NanoCore 0x7538d:$a: NanoCore 0x753cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin
7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x753cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x7540a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x78f3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfef5:$v1: NanoCore Client 0xff05:$v1: NanoCore Client 0x42915:$v1: NanoCore Client 0x42925:$v1: NanoCore Client 0x75135:$v1: NanoCore Client 0x75145:$v1: NanoCore Client 0x117c6:$v2: PluginCommand 0x441e6:$v2: PluginCommand 0x76a06:$v2: PluginCommand 0x117ae:$v3: CommandType 0x441ce:$v3: CommandType 0x769ee:$v3: CommandType
7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42915:$x1: NanoCore Client 0x42925:$x1: NanoCore Client 0x75135:$x1: NanoCore Client 0x75145:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42b6d:$x2: NanoCore.ClientPlugin 0x7538d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42bad:$x3: NanoCore.ClientPluginHost 0x753cd:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42b62:$i1: IClientApp 0x75382:$i1: IClientApp 0x10163:$i2: IClientData 0x42b83:$i2: IClientData 0x753a3:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42b8f:$i3: IClientNetwork 0x753af:$i3: IClientNetwork
0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.MSBuild.exe.45646f7.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1a53c:$a1: NanoCore.ClientPluginHost 0x1a513:$a2: NanoCore.ClientPlugin 0x1f567:$b7: LogClientException 0x1a529:$b9: IClientLoggingHost
6.2.MSBuild.exe.455163c.6.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5fee:$a1: NanoCore.ClientPluginHost 0x2d5f7:$a1: NanoCore.ClientPluginHost 0x5fc9:$a2: NanoCore.ClientPlugin 0x2d5ce:$a2: NanoCore.ClientPlugin 0x5fdf:$b4: IClientAppHost 0xa4ce:$b7: LogClientException 0x32622:$b7: LogClientException 0x6018:$b9: IClientLoggingHost 0x2d5e4:$b9: IClientLoggingHost
6.2.MSBuild.exe.463c30f.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0xe9c8:$a1: NanoCore.ClientPluginHost 0x1a76a:$a1: NanoCore.ClientPluginHost 0x3f66e:$a1: NanoCore.ClientPluginHost 0x4eaae:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0xe99f:$a2: NanoCore.ClientPlugin 0x1a741:$a2: NanoCore.ClientPlugin 0x3f645:$a2: NanoCore.ClientPlugin 0x4ea89:$a2: NanoCore.ClientPlugin 0x4ea9f:$b4: IClientAppHost 0x47e1:$b7: LogClientException 0x1cab3:$b7: LogClientException 0x44699:$b7: LogClientException 0x52f8e:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost 0xe9b5:$b9: IClientLoggingHost 0x1a757:$b9: IClientLoggingHost 0x3f65b:$b9: IClientLoggingHost 0x4ead8:$b9: IClientLoggingHost
6.2.MSBuild.exe.45646f7.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
6.2.MSBuild.exe.463c30f.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x36cb:$a: NanoCore 0x372c:$a: NanoCore 0x376f:$a: NanoCore 0x37af:$a: NanoCore 0x39eb:$a: NanoCore 0x3a8b:$a: NanoCore 0x4263:$a: NanoCore 0x4856:$a: NanoCore 0x49a7:$a: NanoCore 0x5801:$a: NanoCore 0x5a68:$a: NanoCore 0x5a7d:$a: NanoCore 0x5a9c:$a: NanoCore 0xe99f:$a: NanoCore 0xe9c8:$a: NanoCore 0x1a741:$a: NanoCore 0x1a76a:$a: NanoCore 0x3f62d:$a: NanoCore 0x3f645:$a: NanoCore 0x3f66e:$a: NanoCore 0x4ea71:$a: NanoCore
6.2.MSBuild.exe.463c30f.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0xe9c8:$x1: NanoCore.ClientPluginHost 0x1a76a:$x1: NanoCore.ClientPluginHost 0x3f66e:$x1: NanoCore.ClientPluginHost 0x4eaae:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost 0xe9e2:$x2: IClientNetworkHost 0x1a784:$x2: IClientNetworkHost 0x3f688:$x2: IClientNetworkHost 0x4eaeb:$x2: IClientNetworkHost
6.2.MSBuild.exe.326d510.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
6.2.MSBuild.exe.326d510.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
6.2.MSBuild.exe.326d510.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x429ad:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x4296d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x448c6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x427c9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x43fe6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x4299e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4ce1e:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x44f1e:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x48c11:$b7: LogClientException 0x1266b:$b8: PipeExists 0x44e8b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
6.2.MSBuild.exe.45646f7.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1a513:$x2: NanoCore.ClientPlugin 0x1a53c:$x3: NanoCore.ClientPluginHost 0x1a504:$i3: IClientNetwork 0x1a529:$i6: IClientLoggingHost 0x1a556:$i7: IClientNetworkHost 0x1a569:$i8: IClientUIHost 0x1a273:$s1: ClientPlugin 0x1a51c:$s1: ClientPlugin
0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42715:$a: NanoCore 0x42725:$a: NanoCore 0x42959:$a: NanoCore 0x4296d:$a: NanoCore 0x429ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42774:$b: ClientPlugin 0x42976:$b: ClientPlugin 0x429b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4289b:$c: ProjectData 0x96471:$c: ProjectData 0x10a82:$d: DESCrypto 0x432a2:$d: DESCrypto
0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x429ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x429ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.MSBuild.exe.455163c.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x2d5f7:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost 0x2d611:$x2: IClientNetworkHost
0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack	Nanocore	detect Nanocore in memory	JPCERT/CC Incident Response Group	0xfef5:$v1: NanoCore Client 0xff05:$v1: NanoCore Client 0x42715:$v1: NanoCore Client 0x42725:$v1: NanoCore Client 0x117c6:$v2: PluginCommand 0x43fe6:$v2: PluginCommand 0x117ae:$v3: CommandType 0x43fce:$v3: CommandType
6.2.MSBuild.exe.463c30f.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0xe99f:$x2: NanoCore.ClientPlugin 0x1a741:$x2: NanoCore.ClientPlugin 0x3f645:$x2: NanoCore.ClientPlugin 0x4ea89:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0xe9c8:$x3: NanoCore.ClientPluginHost 0x1a76a:$x3: NanoCore.ClientPluginHost 0x3f66e:$x3: NanoCore.ClientPluginHost 0x4eaae:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0xe990:$i3: IClientNetwork 0x1a732:$i3: IClientNetwork 0x3f636:$i3: IClientNetwork 0x4ea7a:$i3: IClientNetwork 0x4ea9f:$i4: IClientAppHost 0x3a43:$i5: IClientDataHost 0x4eac8:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0xe9b5:$i6: IClientLoggingHost 0x1a757:$i6: IClientLoggingHost
6.2.MSBuild.exe.455163c.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x2d5ce:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x2d5f7:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x2d5bf:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x2d5e4:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x2d611:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x2d624:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin 0x2d32e:$s1: ClientPlugin 0x2d5d7:$s1: ClientPlugin
0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42715:$x1: NanoCore Client 0x42725:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x4296d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x429ad:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42962:$i1: IClientApp 0x10163:$i2: IClientData 0x42983:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x4298f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x4299e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x429c7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x429d7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
6.2.MSBuild.exe.32c5c84.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x14db1:$a1: NanoCore.ClientPluginHost 0x21efb:$a1: NanoCore.ClientPluginHost 0x2bd2f:$a1: NanoCore.ClientPluginHost 0x32e00:$a1: NanoCore.ClientPluginHost 0x3908d:$a1: NanoCore.ClientPluginHost 0x4369f:$a1: NanoCore.ClientPluginHost 0x4dacf:$a1: NanoCore.ClientPluginHost 0x58ab5:$a1: NanoCore.ClientPluginHost 0x6485f:$a1: NanoCore.ClientPluginHost 0x705aa:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x14d8b:$a2: NanoCore.ClientPlugin 0x21f77:$a2: NanoCore.ClientPlugin 0x2bdab:$a2: NanoCore.ClientPlugin 0x32e4a:$a2: NanoCore.ClientPlugin 0x39107:$a2: NanoCore.ClientPlugin 0x43789:$a2: NanoCore.ClientPlugin 0x4db6f:$a2: NanoCore.ClientPlugin 0x58a8c:$a2: NanoCore.ClientPlugin 0x64836:$a2: NanoCore.ClientPlugin
6.2.MSBuild.exe.32c5c84.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14d8b:$a: NanoCore 0x14db1:$a: NanoCore 0x14e0d:$a: NanoCore 0x21c43:$a: NanoCore 0x21c9c:$a: NanoCore 0x21ccf:$a: NanoCore 0x21efb:$a: NanoCore 0x21f77:$a: NanoCore 0x22590:$a: NanoCore 0x226d9:$a: NanoCore 0x22bad:$a: NanoCore 0x22e94:$a: NanoCore 0x22eab:$a: NanoCore 0x2bd2f:$a: NanoCore 0x2bdab:$a: NanoCore 0x2e68e:$a: NanoCore 0x32e00:$a: NanoCore 0x32e4a:$a: NanoCore
6.2.MSBuild.exe.32c5c84.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x14d8b:$x2: NanoCore.ClientPlugin 0x21f77:$x2: NanoCore.ClientPlugin 0x2bdab:$x2: NanoCore.ClientPlugin 0x32e4a:$x2: NanoCore.ClientPlugin 0x39107:$x2: NanoCore.ClientPlugin 0x43789:$x2: NanoCore.ClientPlugin 0x4db6f:$x2: NanoCore.ClientPlugin 0x58a8c:$x2: NanoCore.ClientPlugin 0x64836:$x2: NanoCore.ClientPlugin 0x70585:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x14db1:$x3: NanoCore.ClientPluginHost 0x21efb:$x3: NanoCore.ClientPluginHost 0x2bd2f:$x3: NanoCore.ClientPluginHost 0x32e00:$x3: NanoCore.ClientPluginHost 0x3908d:$x3: NanoCore.ClientPluginHost 0x4369f:$x3: NanoCore.ClientPluginHost 0x4dacf:$x3: NanoCore.ClientPluginHost 0x58ab5:$x3: NanoCore.ClientPluginHost 0x6485f:$x3: NanoCore.ClientPluginHost
6.2.MSBuild.exe.32d1e90.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x15cef:$a1: NanoCore.ClientPluginHost 0x1fb23:$a1: NanoCore.ClientPluginHost 0x26bf4:$a1: NanoCore.ClientPluginHost 0x2ce81:$a1: NanoCore.ClientPluginHost 0x37493:$a1: NanoCore.ClientPluginHost 0x418c3:$a1: NanoCore.ClientPluginHost 0x4c8a9:$a1: NanoCore.ClientPluginHost 0x58653:$a1: NanoCore.ClientPluginHost 0x6439e:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x15d6b:$a2: NanoCore.ClientPlugin 0x1fb9f:$a2: NanoCore.ClientPlugin 0x26c3e:$a2: NanoCore.ClientPlugin 0x2cefb:$a2: NanoCore.ClientPlugin 0x3757d:$a2: NanoCore.ClientPlugin 0x41963:$a2: NanoCore.ClientPlugin 0x4c880:$a2: NanoCore.ClientPlugin 0x5862a:$a2: NanoCore.ClientPlugin 0x64379:$a2: NanoCore.ClientPlugin 0x6438f:$b4: IClientAppHost
6.2.MSBuild.exe.32d1e90.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a37:$a: NanoCore 0x15a90:$a: NanoCore 0x15ac3:$a: NanoCore 0x15cef:$a: NanoCore 0x15d6b:$a: NanoCore 0x16384:$a: NanoCore 0x164cd:$a: NanoCore 0x169a1:$a: NanoCore 0x16c88:$a: NanoCore 0x16c9f:$a: NanoCore 0x1fb23:$a: NanoCore 0x1fb9f:$a: NanoCore 0x22482:$a: NanoCore 0x26bf4:$a: NanoCore 0x26c3e:$a: NanoCore 0x27898:$a: NanoCore 0x2ce81:$a: NanoCore 0x2cefb:$a: NanoCore
6.2.MSBuild.exe.32d1e90.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x15d6b:$x2: NanoCore.ClientPlugin 0x1fb9f:$x2: NanoCore.ClientPlugin 0x26c3e:$x2: NanoCore.ClientPlugin 0x2cefb:$x2: NanoCore.ClientPlugin 0x3757d:$x2: NanoCore.ClientPlugin 0x41963:$x2: NanoCore.ClientPlugin 0x4c880:$x2: NanoCore.ClientPlugin 0x5862a:$x2: NanoCore.ClientPlugin 0x64379:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x15cef:$x3: NanoCore.ClientPluginHost 0x1fb23:$x3: NanoCore.ClientPluginHost 0x26bf4:$x3: NanoCore.ClientPluginHost 0x2ce81:$x3: NanoCore.ClientPluginHost 0x37493:$x3: NanoCore.ClientPluginHost 0x418c3:$x3: NanoCore.ClientPluginHost 0x4c8a9:$x3: NanoCore.ClientPluginHost 0x58653:$x3: NanoCore.ClientPluginHost 0x6439e:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork
6.2.MSBuild.exe.32e649c.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0xb517:$a1: NanoCore.ClientPluginHost 0x125e8:$a1: NanoCore.ClientPluginHost 0x18875:$a1: NanoCore.ClientPluginHost 0x22e87:$a1: NanoCore.ClientPluginHost 0x2d2b7:$a1: NanoCore.ClientPluginHost 0x3829d:$a1: NanoCore.ClientPluginHost 0x44047:$a1: NanoCore.ClientPluginHost 0x4fd92:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0xb593:$a2: NanoCore.ClientPlugin 0x12632:$a2: NanoCore.ClientPlugin 0x188ef:$a2: NanoCore.ClientPlugin 0x22f71:$a2: NanoCore.ClientPlugin 0x2d357:$a2: NanoCore.ClientPlugin 0x38274:$a2: NanoCore.ClientPlugin 0x4401e:$a2: NanoCore.ClientPlugin 0x4fd6d:$a2: NanoCore.ClientPlugin 0x4fd83:$b4: IClientAppHost 0xc11c:$b7: LogClientException 0x19010:$b7: LogClientException
6.2.MSBuild.exe.32e649c.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb517:$a: NanoCore 0xb593:$a: NanoCore 0xde76:$a: NanoCore 0x125e8:$a: NanoCore 0x12632:$a: NanoCore 0x1328c:$a: NanoCore 0x18875:$a: NanoCore 0x188ef:$a: NanoCore 0x22e87:$a: NanoCore 0x22f71:$a: NanoCore 0x23de8:$a: NanoCore
6.2.MSBuild.exe.32e649c.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0xb593:$x2: NanoCore.ClientPlugin 0x12632:$x2: NanoCore.ClientPlugin 0x188ef:$x2: NanoCore.ClientPlugin 0x22f71:$x2: NanoCore.ClientPlugin 0x2d357:$x2: NanoCore.ClientPlugin 0x38274:$x2: NanoCore.ClientPlugin 0x4401e:$x2: NanoCore.ClientPlugin 0x4fd6d:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0xb517:$x3: NanoCore.ClientPluginHost 0x125e8:$x3: NanoCore.ClientPluginHost 0x18875:$x3: NanoCore.ClientPluginHost 0x22e87:$x3: NanoCore.ClientPluginHost 0x2d2b7:$x3: NanoCore.ClientPluginHost 0x3829d:$x3: NanoCore.ClientPluginHost 0x44047:$x3: NanoCore.ClientPluginHost 0x4fd92:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0xb5a9:$i3: IClientNetwork 0x12648:$i3: IClientNetwork
Click to see the 208 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 7012, TargetFilename: C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\fLNzmBM9hR.exe", ParentImage: C:\Users\user\Desktop\fLNzmBM9hR.exe, ParentProcessId: 6540, ParentProcessName: fLNzmBM9hR.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe", ProcessId: 7088, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dgKDUvhlvCiVpa" /XML "C:\Users\user\AppData\Local\Temp\tmp802A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dgKDUvhlvCiVpa" /XML "C:\Users\user\AppData\Local\Temp\tmp802A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe, ParentImage: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe, ParentProcessId: 6960, ParentProcessName: dgKDUvhlvCiVpa.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dgKDUvhlvCiVpa" /XML "C:\Users\user\AppData\Local\Temp\tmp802A.tmp", ProcessId: 7248, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dgKDUvhlvCiVpa" /XML "C:\Users\user\AppData\Local\Temp\tmp7751.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dgKDUvhlvCiVpa" /XML "C:\Users\user\AppData\Local\Temp\tmp7751.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\fLNzmBM9hR.exe", ParentImage: C:\Users\user\Desktop\fLNzmBM9hR.exe, ParentProcessId: 6540, ParentProcessName: fLNzmBM9hR.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dgKDUvhlvCiVpa" /XML "C:\Users\user\AppData\Local\Temp\tmp7751.tmp", ProcessId: 7100, ProcessName: schtasks.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Program Files (x86)\DNS Host\dnshost.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 7012, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DNS Host

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\fLNzmBM9hR.exe", ParentImage: C:\Users\user\Desktop\fLNzmBM9hR.exe, ParentProcessId: 6540, ParentProcessName: fLNzmBM9hR.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe", ProcessId: 7088, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dgKDUvhlvCiVpa" /XML "C:\Users\user\AppData\Local\Temp\tmp7751.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dgKDUvhlvCiVpa" /XML "C:\Users\user\AppData\Local\Temp\tmp7751.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\fLNzmBM9hR.exe", ParentImage: C:\Users\user\Desktop\fLNzmBM9hR.exe, ParentProcessId: 6540, ParentProcessName: fLNzmBM9hR.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dgKDUvhlvCiVpa" /XML "C:\Users\user\AppData\Local\Temp\tmp7751.tmp", ProcessId: 7100, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Snort Signatures

ET TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 104.243.242.165

Timestamp:	05/23/24-15:47:18.239422
SID:	2046914
Source Port:	49744
Destination Port:	1620
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 104.243.242.165

Timestamp:	05/23/24-15:47:30.409016
SID:	2046914
Source Port:	49746
Destination Port:	1620
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 104.243.242.165

Timestamp:	05/23/24-15:47:49.518159
SID:	2046914
Source Port:	49749
Destination Port:	1620
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 104.243.242.165

Timestamp:	05/23/24-15:47:36.408636
SID:	2046914
Source Port:	49747
Destination Port:	1620
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 104.243.242.165

Timestamp:	05/23/24-15:48:01.127491
SID:	2046914
Source Port:	49752
Destination Port:	1620
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 104.243.242.165

Timestamp:	05/23/24-15:47:04.830476
SID:	2046914
Source Port:	49736
Destination Port:	1620
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 104.243.242.165

Timestamp:	05/23/24-15:46:58.783649
SID:	2046914
Source Port:	49732
Destination Port:	1620
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 104.243.242.165 - Destination IP: 192.168.2.4

Timestamp:	05/23/24-15:47:50.030323
SID:	2046917
Source Port:	1620
Destination Port:	49749
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.4 - Destination IP: 104.243.242.165

Timestamp:	05/23/24-15:47:29.411754
SID:	2816718
Source Port:	49746
Destination Port:	1620
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 104.243.242.165

Timestamp:	05/23/24-15:47:24.267940
SID:	2046914
Source Port:	49745
Destination Port:	1620
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN NanoCore RAT Keepalive Response 1 - Source IP: 104.243.242.165 - Destination IP: 192.168.2.4

Timestamp:	05/23/24-15:47:45.326170
SID:	2046909
Source Port:	1620
Destination Port:	49748
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 104.243.242.165

Timestamp:	05/23/24-15:47:43.543709
SID:	2046914
Source Port:	49748
Destination Port:	1620
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 104.243.242.165

Timestamp:	05/23/24-15:47:55.533842
SID:	2046914
Source Port:	49751
Destination Port:	1620
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.4 - Destination IP: 104.243.242.165

Timestamp:	05/23/24-15:47:12.142968
SID:	2046914
Source Port:	49737
Destination Port:	1620
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: fLNzmBM9hR.exe

Avira: detected

Antivirus detection for URL or domain

Source: maxlogs.webhop.me

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe

Avira: detection malicious, Label: TR/AD.Nanocore.ihehd

Found malware configuration

Source: 0000000B.00000002.1736727761.0000000003F09000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "1fa46b72-10f9-4da3-bc15-84dde165", "Group": "NewBin", "Domain1": "newsddawork.3utilities.com", "Domain2": "maxlogs.webhop.me", "Port": 1620, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for domain / URL

Source: maxlogs.webhop.me

Virustotal: Detection: 11%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Virustotal: Detection: 74%			Perma Link

Multi AV Scanner detection for submitted file

Source: fLNzmBM9hR.exe	Virustotal: Detection: 74%			Perma Link
Source: fLNzmBM9hR.exe	ReversingLabs: Detection: 76%

Yara detected Nanocore RAT

Source: Yara match	File source: 11.2.MSBuild.exe.3f4ffbc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.6a90000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.3f4b186.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.6a94629.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.3f4ffbc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.3f545e5.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.6a90000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fLNzmBM9hR.exe.3d62528.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3081321042.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1736727761.0000000003F09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1736360700.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fLNzmBM9hR.exe PID: 6540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7292, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: fLNzmBM9hR.exe

Joe Sandbox ML: detected

Source: fLNzmBM9hR.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: fLNzmBM9hR.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Xml.ni.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: NanoCoreStressTester.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: Accessibility.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.ni.pdbRSDS source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: FileBrowserClient.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: NanoCoreBase.pdb\ source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Configuration.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3087398590.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3096562078.00000000077A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3096223687.0000000007750000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3087398590.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3096480105.0000000007790000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Core.ni.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Windows.Forms.pdbl source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: mscorlib.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Core.pdb7 source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.pdbH source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Drawing.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Management.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000006.00000002.3078911934.00000000015F5000.00000004.00000020.00020000.00000000.sdmp, dnshost.exe, 0000000C.00000000.1790740476.00000000006E2000.00000002.00000001.01000000.0000000E.sdmp, dnshost.exe.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: MyClientPlugin.pdbh source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Management.ni.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: MSBuild.exe, 00000006.00000002.3096285589.0000000007760000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: dows\exe\MSBuild.pdb4 source: MSBuild.exe, 00000006.00000002.3078911934.00000000015F5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdbMZ source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: MyClientPluginNew.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3096361141.0000000007770000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: MyClientPluginNew.pdbMZ@ source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.ni.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: MyClientPlugin.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3096414766.0000000007780000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: NanoCoreBase.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: NanoCoreStressTester.pdbt^ source: WERC6F3.tmp.dmp.20.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	6_2_06ACE4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	6_2_077D02C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	6_2_077D02B9

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49732 -> 104.243.242.165:1620
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49736 -> 104.243.242.165:1620
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49737 -> 104.243.242.165:1620
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49744 -> 104.243.242.165:1620
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49745 -> 104.243.242.165:1620
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49746 -> 104.243.242.165:1620
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.4:49746 -> 104.243.242.165:1620
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49747 -> 104.243.242.165:1620
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49748 -> 104.243.242.165:1620
Source: Traffic	Snort IDS: 2046909 ET TROJAN NanoCore RAT Keepalive Response 1 104.243.242.165:1620 -> 192.168.2.4:49748
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49749 -> 104.243.242.165:1620
Source: Traffic	Snort IDS: 2046917 ET TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 104.243.242.165:1620 -> 192.168.2.4:49749
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49751 -> 104.243.242.165:1620
Source: Traffic	Snort IDS: 2046914 ET TROJAN NanoCore RAT CnC 7 192.168.2.4:49752 -> 104.243.242.165:1620

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: maxlogs.webhop.me
Source: Malware configuration extractor	URLs: newsddawork.3utilities.com

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 104.243.242.165:1620

Source: Joe Sandbox View

ASN Name: VOXILITYGB VOXILITYGB

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.126.151
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.126.151

Source: global traffic

DNS traffic detected: DNS query: newsddawork.3utilities.com

Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3087398590.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3096480105.0000000007790000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://google.com
Source: fLNzmBM9hR.exe, 00000000.00000002.1673750956.0000000002A76000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.0000000003241000.00000004.00000800.00020000.00000000.sdmp, dgKDUvhlvCiVpa.exe, 00000007.00000002.1695292378.0000000002B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.20.dr	String found in binary or memory: http://upx.sf.net
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp, fLNzmBM9hR.exe, 00000000.00000002.1676472894.0000000005FAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: fLNzmBM9hR.exe, 00000000.00000002.1676427170.0000000005F70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.monotype.
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

Network traffic detected: HTTP traffic on port 49675 -> 443

Source: MSBuild.exe, 00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_d3b6dba2-6

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 11.2.MSBuild.exe.3f4ffbc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.6a90000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.3f4b186.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.6a94629.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.3f4ffbc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.3f545e5.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.6a90000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fLNzmBM9hR.exe.3d62528.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3081321042.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1736727761.0000000003F09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1736360700.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fLNzmBM9hR.exe PID: 6540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7292, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.MSBuild.exe.7720000.16.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7720000.16.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7720000.16.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.464513e.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7710000.15.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.464513e.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.464513e.10.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7710000.15.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7710000.15.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.79f0000.24.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.79f0000.24.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.79f0000.24.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7a30000.28.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7a30000.28.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7a30000.28.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.77e0000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.77e0000.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.77e0000.23.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7a30000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7a30000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7a30000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7780000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7780000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7780000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.MSBuild.exe.2f6db24.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.MSBuild.exe.2f6db24.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.MSBuild.exe.2f6db24.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.79f0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.79f0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.79f0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.77e0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.77e0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.77e0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.MSBuild.exe.3f4ffbc.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.MSBuild.exe.3f4ffbc.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.MSBuild.exe.3f4ffbc.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7a00000.26.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7a00000.26.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7a00000.26.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.6a90000.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.6a90000.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.6a90000.13.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7790000.21.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7790000.21.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7790000.21.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7770000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7770000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7770000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.455fa58.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.455fa58.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.455fa58.7.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7a04c9f.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7a04c9f.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7a04c9f.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7710000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7710000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7710000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.MSBuild.exe.3f4b186.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.MSBuild.exe.3f4b186.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.MSBuild.exe.3f4b186.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.MSBuild.exe.3f4b186.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.32c5c84.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.32c5c84.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.32c5c84.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7760000.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7760000.18.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7760000.18.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7790000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7790000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7790000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.463c30f.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.463c30f.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.463c30f.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7750000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7750000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7750000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.6a94629.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.6a94629.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.6a94629.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.464513e.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.464513e.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.464513e.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.MSBuild.exe.3f4ffbc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.MSBuild.exe.3f4ffbc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.MSBuild.exe.3f4ffbc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.465356e.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.MSBuild.exe.465356e.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.465356e.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7720000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7720000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7720000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.MSBuild.exe.3f545e5.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.MSBuild.exe.3f545e5.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.MSBuild.exe.3f545e5.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.6a90000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.6a90000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.6a90000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.455fa58.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.455fa58.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.455fa58.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.465356e.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.465356e.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.465356e.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.5f20000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.5f20000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.5f20000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7780000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7780000.20.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7780000.20.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.77a0000.22.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.77a0000.22.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.77a0000.22.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.455163c.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.455163c.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.455163c.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.77a0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.77a0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.77a0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7a0e8a4.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7a0e8a4.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7a0e8a4.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7760000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.7760000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7760000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.7a00000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.MSBuild.exe.7a00000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.7a00000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.32d1e90.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.32d1e90.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.32d1e90.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.45646f7.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.455163c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.463c30f.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.45646f7.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.463c30f.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.MSBuild.exe.463c30f.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.326d510.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.326d510.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.326d510.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.45646f7.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.MSBuild.exe.455163c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.MSBuild.exe.463c30f.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.455163c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.32c5c84.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.32c5c84.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.MSBuild.exe.32c5c84.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.32d1e90.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.32d1e90.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.MSBuild.exe.32d1e90.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.2.MSBuild.exe.32e649c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.2.MSBuild.exe.32e649c.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.MSBuild.exe.32e649c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.3092185822.0000000005F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3092185822.0000000005F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3092185822.0000000005F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.3096285589.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3096285589.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3096285589.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.3087398590.0000000004543000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3095814524.0000000007710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3095814524.0000000007710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3095814524.0000000007710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.3095890255.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3095890255.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3095890255.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.3097033300.00000000079F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3097033300.00000000079F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3097033300.00000000079F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.3097298200.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3097298200.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3097298200.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.3096864447.00000000077E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3096864447.00000000077E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3096864447.00000000077E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.3096361141.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3096361141.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3096361141.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.3097114258.0000000007A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3097114258.0000000007A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3097114258.0000000007A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.3096223687.0000000007750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3096223687.0000000007750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3096223687.0000000007750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3096480105.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.3096480105.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3096480105.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.3096562078.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3096562078.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3096562078.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.3087398590.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3087398590.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.3081321042.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.3096414766.0000000007780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3096414766.0000000007780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3096414766.0000000007780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000B.00000002.1736727761.0000000003F09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000B.00000002.1736727761.0000000003F09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.1736360700.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000B.00000002.1736360700.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: fLNzmBM9hR.exe PID: 6540, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: fLNzmBM9hR.exe PID: 6540, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: fLNzmBM9hR.exe PID: 6540, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: fLNzmBM9hR.exe PID: 6540, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: MSBuild.exe PID: 7012, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: MSBuild.exe PID: 7012, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSBuild.exe PID: 7012, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: MSBuild.exe PID: 7292, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: MSBuild.exe PID: 7292, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSBuild.exe PID: 7292, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: MSBuild.exe PID: 7292, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Code function: 0_2_00D6D2E4	0_2_00D6D2E4
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Code function: 0_2_04A95520	0_2_04A95520
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Code function: 0_2_04A93628	0_2_04A93628
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Code function: 0_2_04A90AB9	0_2_04A90AB9
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Code function: 0_2_04A90AC8	0_2_04A90AC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_017ED344	6_2_017ED344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_06ACB658	6_2_06ACB658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_06AC1D58	6_2_06AC1D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_06ACC270	6_2_06ACC270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_06ACC32E	6_2_06ACC32E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_06AC0140	6_2_06AC0140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_077D3798	6_2_077D3798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_077DB660	6_2_077DB660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_077DAD60	6_2_077DAD60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_077D65B8	6_2_077D65B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_077D4C90	6_2_077D4C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_077DA490	6_2_077DA490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_077D43B0	6_2_077D43B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_077D446E	6_2_077D446E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_077D728E	6_2_077D728E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_077DA148	6_2_077DA148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_077D71D0	6_2_077D71D0
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_00F1D2E4	7_2_00F1D2E4
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_00FD4940	7_2_00FD4940
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_00FD2A48	7_2_00FD2A48
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B4758	7_2_071B4758
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B3BF8	7_2_071B3BF8
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B4748	7_2_071B4748
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B3637	7_2_071B3637
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B3648	7_2_071B3648
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071BD6B0	7_2_071BD6B0
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071BB5D0	7_2_071BB5D0
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071BCCA8	7_2_071BCCA8
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B3BE8	7_2_071B3BE8
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071BBA08	7_2_071BBA08
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071BF950	7_2_071BF950
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071BF960	7_2_071BF960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 11_2_0155D344	11_2_0155D344
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 12_2_00E55A49	12_2_00E55A49
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 12_2_00E52B90	12_2_00E52B90

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7012 -s 1416

Source: fLNzmBM9hR.exe, 00000000.00000002.1677098272.0000000007567000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameschtasks.exej% vs fLNzmBM9hR.exe
Source: fLNzmBM9hR.exe, 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs fLNzmBM9hR.exe
Source: fLNzmBM9hR.exe, 00000000.00000002.1672969464.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs fLNzmBM9hR.exe
Source: fLNzmBM9hR.exe, 00000000.00000002.1676153949.00000000054E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs fLNzmBM9hR.exe
Source: fLNzmBM9hR.exe, 00000000.00000002.1677607202.0000000007B40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs fLNzmBM9hR.exe
Source: fLNzmBM9hR.exe	Binary or memory string: OriginalFilenameXBxR.exe. vs fLNzmBM9hR.exe

Source: fLNzmBM9hR.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6.2.MSBuild.exe.7720000.16.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7720000.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7720000.16.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.464513e.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7710000.15.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.464513e.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.464513e.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7710000.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7710000.15.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.79f0000.24.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.79f0000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.79f0000.24.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7a30000.28.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7a30000.28.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7a30000.28.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.77e0000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.77e0000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.77e0000.23.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7a30000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7a30000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7a30000.28.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7780000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7780000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7780000.20.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.MSBuild.exe.2f6db24.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.MSBuild.exe.2f6db24.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.MSBuild.exe.2f6db24.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.79f0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.79f0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.79f0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.77e0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.77e0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.77e0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.MSBuild.exe.3f4ffbc.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.MSBuild.exe.3f4ffbc.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.MSBuild.exe.3f4ffbc.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7a00000.26.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7a00000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7a00000.26.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.6a90000.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.6a90000.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.6a90000.13.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7790000.21.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7790000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7790000.21.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7770000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7770000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7770000.19.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.455fa58.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.455fa58.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.455fa58.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7a04c9f.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7a04c9f.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7a04c9f.27.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7710000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7710000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7710000.15.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.MSBuild.exe.3f4b186.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.MSBuild.exe.3f4b186.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.MSBuild.exe.3f4b186.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.MSBuild.exe.3f4b186.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.32c5c84.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.32c5c84.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.32c5c84.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7760000.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7760000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7760000.18.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7790000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7790000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7790000.21.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.463c30f.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.463c30f.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.463c30f.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7750000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7750000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7750000.17.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.6a94629.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.6a94629.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.6a94629.12.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.464513e.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.464513e.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.464513e.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.MSBuild.exe.3f4ffbc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.MSBuild.exe.3f4ffbc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.MSBuild.exe.3f4ffbc.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.465356e.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.MSBuild.exe.465356e.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.465356e.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7720000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7720000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7720000.16.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.MSBuild.exe.3f545e5.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.MSBuild.exe.3f545e5.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.MSBuild.exe.3f545e5.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.6a90000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.6a90000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.6a90000.13.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.455fa58.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.455fa58.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.455fa58.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.465356e.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.465356e.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.465356e.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.5f20000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.5f20000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.5f20000.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7780000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7780000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7780000.20.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.77a0000.22.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.77a0000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.77a0000.22.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.455163c.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.455163c.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.455163c.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.77a0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.77a0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.77a0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7a0e8a4.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7a0e8a4.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7a0e8a4.25.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7760000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.7760000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7760000.18.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.7a00000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.MSBuild.exe.7a00000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.7a00000.26.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.32d1e90.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.32d1e90.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.32d1e90.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.45646f7.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.455163c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.463c30f.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.45646f7.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.463c30f.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.MSBuild.exe.463c30f.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.326d510.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.326d510.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.326d510.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.45646f7.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.MSBuild.exe.455163c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.MSBuild.exe.463c30f.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.455163c.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.32c5c84.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.32c5c84.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.MSBuild.exe.32c5c84.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.32d1e90.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.32d1e90.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.MSBuild.exe.32d1e90.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.2.MSBuild.exe.32e649c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.2.MSBuild.exe.32e649c.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.MSBuild.exe.32e649c.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.3092185822.0000000005F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3092185822.0000000005F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3092185822.0000000005F20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.3096285589.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3096285589.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3096285589.0000000007760000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.3087398590.0000000004543000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3095814524.0000000007710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3095814524.0000000007710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3095814524.0000000007710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.3095890255.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3095890255.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3095890255.0000000007720000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.3097033300.00000000079F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3097033300.00000000079F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3097033300.00000000079F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.3097298200.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3097298200.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3097298200.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.3096864447.00000000077E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3096864447.00000000077E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3096864447.00000000077E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.3096361141.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3096361141.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3096361141.0000000007770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.3097114258.0000000007A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3097114258.0000000007A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3097114258.0000000007A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.3096223687.0000000007750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3096223687.0000000007750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3096223687.0000000007750000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3096480105.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.3096480105.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3096480105.0000000007790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.3096562078.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3096562078.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3096562078.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.3087398590.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3087398590.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.3081321042.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.3096414766.0000000007780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3096414766.0000000007780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3096414766.0000000007780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000B.00000002.1736727761.0000000003F09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000B.00000002.1736727761.0000000003F09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.1736360700.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000B.00000002.1736360700.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: fLNzmBM9hR.exe PID: 6540, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: fLNzmBM9hR.exe PID: 6540, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: fLNzmBM9hR.exe PID: 6540, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: fLNzmBM9hR.exe PID: 6540, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: MSBuild.exe PID: 7012, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: MSBuild.exe PID: 7012, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: MSBuild.exe PID: 7012, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: MSBuild.exe PID: 7292, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: MSBuild.exe PID: 7292, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: MSBuild.exe PID: 7292, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: MSBuild.exe PID: 7292, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research

Source: fLNzmBM9hR.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dgKDUvhlvCiVpa.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, Mt0ImfW2NMZoNJ1Hiu.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, Mt0ImfW2NMZoNJ1Hiu.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, KG7cbGbyJ7qmmE4UuJ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, KG7cbGbyJ7qmmE4UuJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, KG7cbGbyJ7qmmE4UuJ.cs	Security API names: _0020.AddAccessRule
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, KG7cbGbyJ7qmmE4UuJ.cs	Security API names: _0020.SetAccessControl
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, KG7cbGbyJ7qmmE4UuJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, KG7cbGbyJ7qmmE4UuJ.cs	Security API names: _0020.AddAccessRule

Source: 0.2.fLNzmBM9hR.exe.54c0000.5.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.fLNzmBM9hR.exe.2a56e68.0.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.fLNzmBM9hR.exe.2a46e50.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: MSBuild.exe, 00000006.00000002.3078911934.00000000015F5000.00000004.00000020.00020000.00000000.sdmp, dnshost.exe, 0000000C.00000000.1790740476.00000000006E2000.00000002.00000001.01000000.0000000E.sdmp, dnshost.exe.6.dr	Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: MSBuild.exe, 00000006.00000002.3078911934.00000000015F5000.00000004.00000020.00020000.00000000.sdmp, dnshost.exe, 0000000C.00000000.1790740476.00000000006E2000.00000002.00000001.01000000.0000000E.sdmp, dnshost.exe.6.dr	Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: MSBuild.exe, 00000006.00000002.3078911934.00000000015F5000.00000004.00000020.00020000.00000000.sdmp, dnshost.exe, 0000000C.00000000.1790740476.00000000006E2000.00000002.00000001.01000000.0000000E.sdmp, dnshost.exe.6.dr	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: dnshost.exe, 0000000C.00000002.1799913093.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q%C:\Program Files (x86)\DNS Host\*.sln
Source: MSBuild.exe, 00000006.00000002.3078911934.00000000015F5000.00000004.00000020.00020000.00000000.sdmp, dnshost.exe, 0000000C.00000000.1790740476.00000000006E2000.00000002.00000001.01000000.0000000E.sdmp, dnshost.exe, 0000000C.00000002.1799913093.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe.6.dr	Binary or memory string: *.sln
Source: dnshost.exe, 0000000C.00000002.1798358511.0000000000B44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files (x86)\DNS Host\<.slnn<#N
Source: MSBuild.exe, 00000006.00000002.3078911934.00000000015F5000.00000004.00000020.00020000.00000000.sdmp, dnshost.exe, 0000000C.00000000.1790740476.00000000006E2000.00000002.00000001.01000000.0000000E.sdmp, dnshost.exe.6.dr	Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: MSBuild.exe, 00000006.00000002.3078911934.00000000015F5000.00000004.00000020.00020000.00000000.sdmp, dnshost.exe, 0000000C.00000000.1790740476.00000000006E2000.00000002.00000001.01000000.0000000E.sdmp, dnshost.exe.6.dr	Binary or memory string: /ignoreprojectextensions:.sln
Source: MSBuild.exe, 00000006.00000002.3078911934.00000000015F5000.00000004.00000020.00020000.00000000.sdmp, dnshost.exe, 0000000C.00000000.1790740476.00000000006E2000.00000002.00000001.01000000.0000000E.sdmp, dnshost.exe.6.dr	Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.

Source: classification engine

Classification label: mal100.troj.evad.winEXE@19/23@16/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Program Files (x86)\DNS Host

Jump to behavior

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe

File created: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Mutant created: \Sessions\1\BaseNamedObjects\VORvjohFncKJWkVKKJ
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7256:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7012
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{1fa46b72-10f9-4da3-bc15-84dde165706d}

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe

File created: C:\Users\user\AppData\Local\Temp\tmp7751.tmp

Jump to behavior

Source: fLNzmBM9hR.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: fLNzmBM9hR.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: fLNzmBM9hR.exe	Virustotal: Detection: 74%
Source: fLNzmBM9hR.exe	ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe

File read: C:\Users\user\Desktop\fLNzmBM9hR.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\fLNzmBM9hR.exe "C:\Users\user\Desktop\fLNzmBM9hR.exe"
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dgKDUvhlvCiVpa" /XML "C:\Users\user\AppData\Local\Temp\tmp7751.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dgKDUvhlvCiVpa" /XML "C:\Users\user\AppData\Local\Temp\tmp802A.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: unknown	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7012 -s 1416
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe"	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dgKDUvhlvCiVpa" /XML "C:\Users\user\AppData\Local\Temp\tmp7751.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dgKDUvhlvCiVpa" /XML "C:\Users\user\AppData\Local\Temp\tmp802A.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: fLNzmBM9hR.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: fLNzmBM9hR.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Xml.ni.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: NanoCoreStressTester.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: Accessibility.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.ni.pdbRSDS source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: FileBrowserClient.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: NanoCoreBase.pdb\ source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Configuration.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3087398590.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3096562078.00000000077A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3096223687.0000000007750000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3087398590.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3096480105.0000000007790000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: System.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Core.ni.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Windows.Forms.pdbl source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: mscorlib.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Core.pdb7 source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.pdbH source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Drawing.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Management.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000006.00000002.3078911934.00000000015F5000.00000004.00000020.00020000.00000000.sdmp, dnshost.exe, 0000000C.00000000.1790740476.00000000006E2000.00000002.00000001.01000000.0000000E.sdmp, dnshost.exe.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: MyClientPlugin.pdbh source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Management.ni.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: MSBuild.exe, 00000006.00000002.3096285589.0000000007760000.00000004.08000000.00040000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: dows\exe\MSBuild.pdb4 source: MSBuild.exe, 00000006.00000002.3078911934.00000000015F5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdbMZ source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: MyClientPluginNew.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3096361141.0000000007770000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: MyClientPluginNew.pdbMZ@ source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.ni.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: MyClientPlugin.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3096414766.0000000007780000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: NanoCoreBase.pdb source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERC6F3.tmp.dmp.20.dr
Source:	Binary string: NanoCoreStressTester.pdbt^ source: WERC6F3.tmp.dmp.20.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dqf3c4WtE_0024_0024thN5QyBMvo3u0lth2VF5hmfUsIv1r8yRkg_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dq_FL69pQf17BUSAFbWYu1SStMAbdu_0024R1GJ8VY8UL5_EA_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, --qxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecU-.cs	.Net Code: _0023_003DqKU0J1fiP8KA33eFK1owekQ_003D_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dqf3c4WtE_0024_0024thN5QyBMvo3u0lth2VF5hmfUsIv1r8yRkg_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dq_FL69pQf17BUSAFbWYu1SStMAbdu_0024R1GJ8VY8UL5_EA_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, --qxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecU-.cs	.Net Code: _0023_003DqKU0J1fiP8KA33eFK1owekQ_003D_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, KG7cbGbyJ7qmmE4UuJ.cs	.Net Code: yvpR39ZiHZ System.Reflection.Assembly.Load(byte[])
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, KG7cbGbyJ7qmmE4UuJ.cs	.Net Code: yvpR39ZiHZ System.Reflection.Assembly.Load(byte[])
Source: 0.2.fLNzmBM9hR.exe.54e0000.6.raw.unpack, LoginForm.cs	.Net Code: _206B_206C_202A_202D_206F_206F_206C_202D_206A_202A_200B_206C_206E_206A_206D_206B_202C_206E_200C_206F_200D_206D_200C_200F_202C_206C_202E_206B_202B_202E_206E_206B_206B_206D_206C_202C_200D_202E_202C_200E_202E System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_00F1F478 push esp; iretd	7_2_00F1F479
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_00FD0D13 push eax; iretd	7_2_00FD0D1D
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B7705 push ecx; iretd	7_2_071B7706
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B775E push eax; iretd	7_2_071B775F
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B7749 push eax; iretd	7_2_071B774B
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B7775 push eax; iretd	7_2_071B7776
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B77D6 push ax; iretd	7_2_071B77D8
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B77C3 push eax; iretd	7_2_071B77C4
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B77F0 push eax; iretd	7_2_071B77F2
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B761B push edx; iretd	7_2_071B761C
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B769F push ecx; iretd	7_2_071B76A1
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B76B7 push ecx; iretd	7_2_071B76B8
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B76DA push ecx; iretd	7_2_071B76DB
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B76ED push ecx; iretd	7_2_071B76EF
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B7505 push ebx; iretd	7_2_071B7507
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B7520 push ebx; iretd	7_2_071B7521
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B7599 push edx; iretd	7_2_071B759A
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B75AD push edx; iretd	7_2_071B75AE
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B75C7 push edx; iretd	7_2_071B75C8
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B75EC push edx; iretd	7_2_071B75EE
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B740D push esp; iretd	7_2_071B740F
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B744E push ebx; iretd	7_2_071B7450
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B747A push ebx; iretd	7_2_071B747B
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B7463 push ebx; iretd	7_2_071B7464
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B74F1 push ebx; iretd	7_2_071B74F3
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B7310 push ebp; iretd	7_2_071B7316
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B7327 push ebp; iretd	7_2_071B732D
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B7372 push esp; iretd	7_2_071B7373
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B738F push esp; iretd	7_2_071B7391
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B73BB push esp; iretd	7_2_071B73BC
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Code function: 7_2_071B73A3 push esp; iretd	7_2_071B73A5

Source: fLNzmBM9hR.exe	Static PE information: section name: .text entropy: 7.9781458639858265
Source: dgKDUvhlvCiVpa.exe.0.dr	Static PE information: section name: .text entropy: 7.9781458639858265

Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, kneA8pFPEWPb7xDiGt.cs	High entropy of concatenated method names: 'LE0TkYUrhw', 'b92Tfis3WT', 'VRXTQbgweT', 'BYaTdJJ9gu', 'GjXTpdnJL5', 'MXRTPBk2RH', 'jW4TbfUINy', 'dJMTVjRgNj', 'agyT5btdTi', 'HbUTAxEQwC'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, VOWNRHQX9kUKKcoL7i.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fIbxClxsN7', 'THyxvmpG20', 'VFNxzur7lQ', 'aww0hZYeLT', 'oS20eLyA0N', 'HBP0xw6vKQ', 'b6W00vEOiD', 'sWGUMe4nfyA636cqhHS'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, KlQkb2r7oFN52Q2qZe.cs	High entropy of concatenated method names: 'ToString', 'pOHGUtVLhe', 'lfsG71ffJT', 'q2cGspZEPs', 'EYsGmSXcA4', 'elIGLekvNe', 'nMcGI0ts9K', 'WrJGaW3F4D', 'AtpGnkIkXe', 'c0iGwG3DZ1'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, H56QvGabV6fscrZUYr.cs	High entropy of concatenated method names: 'u2IPkIIqGp', 'DxEPQLk8Rb', 'eEiPpsj4gl', 'k9Spv1USls', 'RwLpzjC2QC', 'UXCPhQXIgG', 'zf0PesVyCg', 'trIPxiZKDY', 'BcWP0bFxlv', 'BKTPRdUmlr'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, nxmtI7gx39DWI5vnUl.cs	High entropy of concatenated method names: 'RRHpDC56aw', 'OYepf5XTPQ', 'EWnpdQ7jfQ', 'hytpPSXtSM', 'fdVpbG7vcS', 'P3vd806QDT', 'E5gdB3rDyM', 'HlndjqoKVv', 'SXFdFSJxn2', 'FpRdCaZ1fm'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, SNZRMVe0WdymfJlynVe.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'r6NY4JEuY5', 'r0GYO8dkcQ', 'RICYraP9rt', 'fjWYZaPhch', 'SUvY83U25D', 'OiEYBKTyYZ', 'DTNYjSsape'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, p8SIOJzyxjsivyojIV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cZZlSSTn6x', 'iFKlM5nK5i', 'jTilGMmKke', 'l9ylyUDsue', 'sQ4lTSATjr', 'j2kll2hiJ4', 'zgOlYGmjim'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, oqdAOl97dxk3nqr3cY.cs	High entropy of concatenated method names: 'P7wdJRtQt2', 'BbldXXb4Uy', 'ioEQseG7Rs', 'iXmQmC5uGU', 'OAOQLQCCbp', 'RlRQI9vHfx', 'RsWQaDjYaM', 'EOZQnax6pc', 'RQVQwBLgmF', 'do9QH8eIEi'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, Vv1F3Ifw1mbQLiAjti.cs	High entropy of concatenated method names: 'Dispose', 'waVeCIQUdd', 'Prwx7jOsZO', 'kGbyyp7xZI', 'ibneveA8pP', 'tWPezb7xDi', 'ProcessDialogKey', 'ptRxhTafJC', 'zlRxeLvdPD', 'hEfxxQ8ZHe'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, sPwtxoehqmVp9W195LG.cs	High entropy of concatenated method names: 'nlVlq1dtAl', 'SJMli81HCy', 'mFul353nYy', 'fC7l2AF6WO', 'DJglJies54', 'sRJlKiYgG4', 'vaklXy7dmn', 'K6BlWtejXF', 'n3vloUJn24', 'FAjl9T1Q2S'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, Kc4J6S4Iblnb55We4o.cs	High entropy of concatenated method names: 'vyJMHEXSp7', 'wCgMud8ppU', 'orUM47KOrI', 'CnZMOGug4j', 'cQmM7in6EY', 'h52Mshe95x', 'TJbMmdCK3w', 'mtaMLmLHx0', 'qIXMIZZI40', 'zHBMabLnbH'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, dDlMY8RqgfYN8K0INW.cs	High entropy of concatenated method names: 'QenePt0Imf', 'ANMebZoNJ1', 'Pg0e5KJQWa', 'QJYeAJSqdA', 'xr3eMcYAxm', 'vI7eGx39DW', 'gxNZpHf5wSm3ka96Wl', 'keRQ6qtLOa93XpaTu0', 'AEMeeRtPkv', 'tfHe0D8rkQ'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, dTafJCC3lRLvdPDdEf.cs	High entropy of concatenated method names: 'jdxTgPRLiq', 'AWUT7UrRCx', 'cHxTsrjXQS', 'cr8TmuOYke', 'wnwT4Q2yun', 'pYCTLB4NRR', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, KG7cbGbyJ7qmmE4UuJ.cs	High entropy of concatenated method names: 'ff90DkIOna', 'SaY0k8sjTV', 'oYf0f44rtA', 'khU0Q4q728', 'Kfm0dWpd4R', 'acX0pUJ6KN', 'QyK0PRBM6J', 'B680bhmkNC', 'Hlb0VyLJjD', 'hOt05P6tG4'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, OmbQxuxUcHKEMN2xZL.cs	High entropy of concatenated method names: 'c8Z3nD5wy', 'dKV2D91eu', 'uR7KfpQNw', 'bpUX5QXBJ', 'PeJoPvF7h', 'UGB9rjwuK', 'Qa22cJuJnWtC7gYR1V', 'fgBjRt2TIxCNAanFdO', 'VMrT4vpaL', 'tJoY6PXJi'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, hjHIYLB4SSpneZSvS0.cs	High entropy of concatenated method names: 'f8fyF9Gdi0', 'MaYyv4dM3T', 'NvFThNEkLm', 'GydTeKymv7', 'dDwyUqEerM', 'ghXyuOcqjb', 'TbqycZN1vm', 'l30y4CW03L', 'bamyOHiYMn', 'vU3yrOkxZL'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, x1Cfjuog0KJQWacJYJ.cs	High entropy of concatenated method names: 'UPaQ2PeUcM', 'jdcQKMtRxa', 'xMGQW9TDoi', 'Ga6Qo1lQRv', 'XODQMNa5Qq', 'flqQGEYVcJ', 'J60Qy80Y1g', 'eDUQTYBT0q', 'tQWQlU6Zg0', 'NQrQYf0Men'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, FPrNA1Z02HXpGH8rCh.cs	High entropy of concatenated method names: 'xiOy5R0ao2', 'q46yABaDjF', 'ToString', 'pPDyk6YqCc', 'f0AyfOSs8s', 'Y2VyQQEahy', 'AjmydRhqP8', 'E5Eyp9p2AE', 'DcJyPWkyX7', 'z4HybRHxxh'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, Mt0ImfW2NMZoNJ1Hiu.cs	High entropy of concatenated method names: 'QDif46Drsu', 'MmwfOTiPA0', 'QfHfrK5QrX', 'vE5fZ9l56w', 'JVuf8yUwsV', 'AxbfBx0TSa', 'ROXfjGZP7H', 'tXffF792Sf', 'uMefCqcGaD', 'XmFfvYoIBW'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, RlrJ8Bc659FMOLPpT3.cs	High entropy of concatenated method names: 'mJBSWdbYLI', 'o5USoi1ml2', 'GiqSgjmvsF', 'UTqS7owb9m', 'LyOSmWWxJG', 'C57SL6jv7v', 'tGESaxcefT', 'oKLSnCcgqV', 'RDNSHgJAv4', 'psUSUxphYk'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, dHTFucwCCrkagJNH24.cs	High entropy of concatenated method names: 'iZaPqv6onw', 'o4EPikqcDk', 'tLwP3msrMx', 'RgEP2gnuOv', 'Mu6PJHQGr5', 'w1pPK4MgcT', 'fr3PXUgyah', 'S8TPWxBQ3x', 's9gPov7L7r', 'u86P9upIGS'
Source: 0.2.fLNzmBM9hR.exe.7b40000.7.raw.unpack, h8ZHejv5d21rwX7obe.cs	High entropy of concatenated method names: 'bcQleb9j0a', 'xpwl09E9dE', 'TiblRHSlU5', 'nkulkN7vwU', 'Q6mlfjFkvU', 'rRHld7v3xv', 'UO4lpo2F5L', 'y0kTjbfxcl', 'KYnTFuv2sc', 'PsoTC76ZN6'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, kneA8pFPEWPb7xDiGt.cs	High entropy of concatenated method names: 'LE0TkYUrhw', 'b92Tfis3WT', 'VRXTQbgweT', 'BYaTdJJ9gu', 'GjXTpdnJL5', 'MXRTPBk2RH', 'jW4TbfUINy', 'dJMTVjRgNj', 'agyT5btdTi', 'HbUTAxEQwC'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, VOWNRHQX9kUKKcoL7i.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fIbxClxsN7', 'THyxvmpG20', 'VFNxzur7lQ', 'aww0hZYeLT', 'oS20eLyA0N', 'HBP0xw6vKQ', 'b6W00vEOiD', 'sWGUMe4nfyA636cqhHS'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, KlQkb2r7oFN52Q2qZe.cs	High entropy of concatenated method names: 'ToString', 'pOHGUtVLhe', 'lfsG71ffJT', 'q2cGspZEPs', 'EYsGmSXcA4', 'elIGLekvNe', 'nMcGI0ts9K', 'WrJGaW3F4D', 'AtpGnkIkXe', 'c0iGwG3DZ1'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, H56QvGabV6fscrZUYr.cs	High entropy of concatenated method names: 'u2IPkIIqGp', 'DxEPQLk8Rb', 'eEiPpsj4gl', 'k9Spv1USls', 'RwLpzjC2QC', 'UXCPhQXIgG', 'zf0PesVyCg', 'trIPxiZKDY', 'BcWP0bFxlv', 'BKTPRdUmlr'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, nxmtI7gx39DWI5vnUl.cs	High entropy of concatenated method names: 'RRHpDC56aw', 'OYepf5XTPQ', 'EWnpdQ7jfQ', 'hytpPSXtSM', 'fdVpbG7vcS', 'P3vd806QDT', 'E5gdB3rDyM', 'HlndjqoKVv', 'SXFdFSJxn2', 'FpRdCaZ1fm'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, SNZRMVe0WdymfJlynVe.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'r6NY4JEuY5', 'r0GYO8dkcQ', 'RICYraP9rt', 'fjWYZaPhch', 'SUvY83U25D', 'OiEYBKTyYZ', 'DTNYjSsape'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, p8SIOJzyxjsivyojIV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cZZlSSTn6x', 'iFKlM5nK5i', 'jTilGMmKke', 'l9ylyUDsue', 'sQ4lTSATjr', 'j2kll2hiJ4', 'zgOlYGmjim'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, oqdAOl97dxk3nqr3cY.cs	High entropy of concatenated method names: 'P7wdJRtQt2', 'BbldXXb4Uy', 'ioEQseG7Rs', 'iXmQmC5uGU', 'OAOQLQCCbp', 'RlRQI9vHfx', 'RsWQaDjYaM', 'EOZQnax6pc', 'RQVQwBLgmF', 'do9QH8eIEi'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, Vv1F3Ifw1mbQLiAjti.cs	High entropy of concatenated method names: 'Dispose', 'waVeCIQUdd', 'Prwx7jOsZO', 'kGbyyp7xZI', 'ibneveA8pP', 'tWPezb7xDi', 'ProcessDialogKey', 'ptRxhTafJC', 'zlRxeLvdPD', 'hEfxxQ8ZHe'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, sPwtxoehqmVp9W195LG.cs	High entropy of concatenated method names: 'nlVlq1dtAl', 'SJMli81HCy', 'mFul353nYy', 'fC7l2AF6WO', 'DJglJies54', 'sRJlKiYgG4', 'vaklXy7dmn', 'K6BlWtejXF', 'n3vloUJn24', 'FAjl9T1Q2S'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, Kc4J6S4Iblnb55We4o.cs	High entropy of concatenated method names: 'vyJMHEXSp7', 'wCgMud8ppU', 'orUM47KOrI', 'CnZMOGug4j', 'cQmM7in6EY', 'h52Mshe95x', 'TJbMmdCK3w', 'mtaMLmLHx0', 'qIXMIZZI40', 'zHBMabLnbH'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, dDlMY8RqgfYN8K0INW.cs	High entropy of concatenated method names: 'QenePt0Imf', 'ANMebZoNJ1', 'Pg0e5KJQWa', 'QJYeAJSqdA', 'xr3eMcYAxm', 'vI7eGx39DW', 'gxNZpHf5wSm3ka96Wl', 'keRQ6qtLOa93XpaTu0', 'AEMeeRtPkv', 'tfHe0D8rkQ'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, dTafJCC3lRLvdPDdEf.cs	High entropy of concatenated method names: 'jdxTgPRLiq', 'AWUT7UrRCx', 'cHxTsrjXQS', 'cr8TmuOYke', 'wnwT4Q2yun', 'pYCTLB4NRR', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, KG7cbGbyJ7qmmE4UuJ.cs	High entropy of concatenated method names: 'ff90DkIOna', 'SaY0k8sjTV', 'oYf0f44rtA', 'khU0Q4q728', 'Kfm0dWpd4R', 'acX0pUJ6KN', 'QyK0PRBM6J', 'B680bhmkNC', 'Hlb0VyLJjD', 'hOt05P6tG4'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, OmbQxuxUcHKEMN2xZL.cs	High entropy of concatenated method names: 'c8Z3nD5wy', 'dKV2D91eu', 'uR7KfpQNw', 'bpUX5QXBJ', 'PeJoPvF7h', 'UGB9rjwuK', 'Qa22cJuJnWtC7gYR1V', 'fgBjRt2TIxCNAanFdO', 'VMrT4vpaL', 'tJoY6PXJi'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, hjHIYLB4SSpneZSvS0.cs	High entropy of concatenated method names: 'f8fyF9Gdi0', 'MaYyv4dM3T', 'NvFThNEkLm', 'GydTeKymv7', 'dDwyUqEerM', 'ghXyuOcqjb', 'TbqycZN1vm', 'l30y4CW03L', 'bamyOHiYMn', 'vU3yrOkxZL'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, x1Cfjuog0KJQWacJYJ.cs	High entropy of concatenated method names: 'UPaQ2PeUcM', 'jdcQKMtRxa', 'xMGQW9TDoi', 'Ga6Qo1lQRv', 'XODQMNa5Qq', 'flqQGEYVcJ', 'J60Qy80Y1g', 'eDUQTYBT0q', 'tQWQlU6Zg0', 'NQrQYf0Men'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, FPrNA1Z02HXpGH8rCh.cs	High entropy of concatenated method names: 'xiOy5R0ao2', 'q46yABaDjF', 'ToString', 'pPDyk6YqCc', 'f0AyfOSs8s', 'Y2VyQQEahy', 'AjmydRhqP8', 'E5Eyp9p2AE', 'DcJyPWkyX7', 'z4HybRHxxh'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, Mt0ImfW2NMZoNJ1Hiu.cs	High entropy of concatenated method names: 'QDif46Drsu', 'MmwfOTiPA0', 'QfHfrK5QrX', 'vE5fZ9l56w', 'JVuf8yUwsV', 'AxbfBx0TSa', 'ROXfjGZP7H', 'tXffF792Sf', 'uMefCqcGaD', 'XmFfvYoIBW'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, RlrJ8Bc659FMOLPpT3.cs	High entropy of concatenated method names: 'mJBSWdbYLI', 'o5USoi1ml2', 'GiqSgjmvsF', 'UTqS7owb9m', 'LyOSmWWxJG', 'C57SL6jv7v', 'tGESaxcefT', 'oKLSnCcgqV', 'RDNSHgJAv4', 'psUSUxphYk'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, dHTFucwCCrkagJNH24.cs	High entropy of concatenated method names: 'iZaPqv6onw', 'o4EPikqcDk', 'tLwP3msrMx', 'RgEP2gnuOv', 'Mu6PJHQGr5', 'w1pPK4MgcT', 'fr3PXUgyah', 'S8TPWxBQ3x', 's9gPov7L7r', 'u86P9upIGS'
Source: 0.2.fLNzmBM9hR.exe.3dc5040.2.raw.unpack, h8ZHejv5d21rwX7obe.cs	High entropy of concatenated method names: 'bcQleb9j0a', 'xpwl09E9dE', 'TiblRHSlU5', 'nkulkN7vwU', 'Q6mlfjFkvU', 'rRHld7v3xv', 'UO4lpo2F5L', 'y0kTjbfxcl', 'KYnTFuv2sc', 'PsoTC76ZN6'

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	File created: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Program Files (x86)\DNS Host\dnshost.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dgKDUvhlvCiVpa" /XML "C:\Users\user\AppData\Local\Temp\tmp7751.tmp"

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run DNS Host			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run DNS Host			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe:Zone.Identifier read attributes | delete

Jump to behavior

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: fLNzmBM9hR.exe PID: 6540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960, type: MEMORYSTR

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Memory allocated: D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Memory allocated: 2A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Memory allocated: 4A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Memory allocated: 7BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Memory allocated: 8BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Memory allocated: 8E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Memory allocated: 9E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 3240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Memory allocated: ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Memory allocated: 2A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Memory allocated: F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Memory allocated: 75C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Memory allocated: 85C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Memory allocated: 8860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Memory allocated: 9860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 14E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: E50000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 2BB0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 28F0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7561	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 4591	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 5195	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: foregroundWindowGot 653	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: foregroundWindowGot 894	Jump to behavior

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe TID: 6604	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6320	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3684	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe TID: 2640	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7320	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe TID: 7580	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477

Source: Amcache.hve.20.dr	Binary or memory string: VMware
Source: Amcache.hve.20.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.20.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.20.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.20.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.20.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.20.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.20.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.20.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: MSBuild.exe, 00000006.00000002.3093865655.0000000006860000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli
Source: Amcache.hve.20.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.20.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.20.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.20.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.20.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: dgKDUvhlvCiVpa.exe, 00000007.00000002.1693658054.0000000000CD4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.20.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.20.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.20.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.20.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.20.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.20.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.20.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.20.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.20.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.20.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.20.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.20.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.20.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.20.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.20.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe"
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe"			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 420000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 422000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D08008	Jump to behavior

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe"	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dgKDUvhlvCiVpa" /XML "C:\Users\user\AppData\Local\Temp\tmp7751.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dgKDUvhlvCiVpa" /XML "C:\Users\user\AppData\Local\Temp\tmp802A.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\I
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql(z
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000034D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qT.M
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q<H=
Source: MSBuild.exe, 00000006.00000002.3081321042.0000000003618000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.00000000034D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qD
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000034D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qH
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP-
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.0000000003554000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`'C
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q8}{
Source: MSBuild.exe, 00000006.00000002.3081321042.0000000003554000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql*[
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qd
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,=@
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000035FC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q`s~
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qL
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP
Source: MSBuild.exe, 00000006.00000002.3097430254.0000000007B7D000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program ManagerManager
Source: MSBuild.exe, 00000006.00000002.3081321042.0000000003554000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0jX
Source: MSBuild.exe, 00000006.00000002.3081321042.0000000003612000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$(a
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q#C
Source: MSBuild.exe, 00000006.00000002.3095776311.000000000770D000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Managerh
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000036A5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4fj
Source: MSBuild.exe, 00000006.00000002.3081321042.0000000003554000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q\|
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000385A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.000000000384E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3093806559.000000000685C000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlUH
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q 2E
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q@^H
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^ql
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,f~
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.0000000003554000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qt
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qx
Source: MSBuild.exe, 00000006.00000002.3081321042.0000000003554000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q0JU
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q438
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000385A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager4V
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.00000000034F4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.00000000034F4000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.000000000373A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q(
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qP)E
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.00000000034F4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerlB^q
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.00000000034D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager8
Source: MSBuild.exe, 00000006.00000002.3081321042.0000000003554000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^qlU[
Source: MSBuild.exe, 00000006.00000002.3081321042.000000000377E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q4w
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q$H@

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Users\user\Desktop\fLNzmBM9hR.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\fLNzmBM9hR.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Queries volume information: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Program Files (x86)\DNS Host\dnshost.exe VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 6_2_077D59F8 GetSystemTimes,

6_2_077D59F8

Source: C:\Users\user\Desktop\fLNzmBM9hR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.20.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.20.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.20.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.20.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 11.2.MSBuild.exe.3f4ffbc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.6a90000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.3f4b186.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.6a94629.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.3f4ffbc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.3f545e5.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.6a90000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fLNzmBM9hR.exe.3d62528.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3081321042.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1736727761.0000000003F09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1736360700.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fLNzmBM9hR.exe PID: 6540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7292, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: fLNzmBM9hR.exe, 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000006.00000002.3092185822.0000000005F20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000006.00000002.3092185822.0000000005F20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: MSBuild.exe, 00000006.00000002.3087398590.0000000004543000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000006.00000002.3081321042.0000000003241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000006.00000002.3081321042.0000000003241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: MSBuild.exe, 00000006.00000002.3096285589.0000000007760000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000006.00000002.3095890255.0000000007720000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000006.00000002.3095814524.0000000007710000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: MSBuild.exe, 00000006.00000002.3097033300.00000000079F0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000006.00000002.3097114258.0000000007A00000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000006.00000002.3097298200.0000000007A30000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000006.00000002.3087398590.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000006.00000002.3087398590.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: MSBuild.exe, 00000006.00000002.3096864447.00000000077E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000006.00000002.3096361141.0000000007770000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000006.00000002.3096361141.0000000007770000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: MSBuild.exe, 00000006.00000002.3096223687.0000000007750000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000006.00000002.3096223687.0000000007750000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: MSBuild.exe, 00000006.00000002.3096480105.0000000007790000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000006.00000002.3096562078.00000000077A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000006.00000002.3096562078.00000000077A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: MSBuild.exe, 00000006.00000002.3096414766.0000000007780000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000006.00000002.3096414766.0000000007780000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: MSBuild.exe, 00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dgKDUvhlvCiVpa.exe, 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 0000000B.00000002.1736727761.0000000003F09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 0000000B.00000002.1736727761.0000000003F09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: MSBuild.exe, 0000000B.00000002.1736360700.0000000002F01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 0000000B.00000002.1736360700.0000000002F01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 11.2.MSBuild.exe.3f4ffbc.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.6a90000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.3f4b186.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.6a94629.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.3f4ffbc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.3f545e5.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.MSBuild.exe.6a90000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dgKDUvhlvCiVpa.exe.3de3638.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fLNzmBM9hR.exe.3d62528.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fLNzmBM9hR.exe.3d2fb08.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dgKDUvhlvCiVpa.exe.3db0c18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.fLNzmBM9hR.exe.3d62528.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3081321042.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1736727761.0000000003F09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1736360700.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: fLNzmBM9hR.exe PID: 6540, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dgKDUvhlvCiVpa.exe PID: 6960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7292, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	11 Input Capture	1 System Time Discovery	Remote Services	11 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	312 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	11 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	12 Software Packing	NTDS	121 Security Software Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Masquerading	Cached Domain Credentials	31 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	312 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
fLNzmBM9hR.exe	75%	Virustotal		Browse
fLNzmBM9hR.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.LokiBot
fLNzmBM9hR.exe	100%	Avira	TR/AD.Nanocore.ihehd
fLNzmBM9hR.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	100%	Avira	TR/AD.Nanocore.ihehd
C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DNS Host\dnshost.exe	0%	ReversingLabs
C:\Program Files (x86)\DNS Host\dnshost.exe	1%	Virustotal		Browse
C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.LokiBot
C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe	75%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
fp2e7a.wpc.phicdn.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.apache.org/licenses/LICENSE-2.0	0%	URL Reputation	safe
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
maxlogs.webhop.me	100%	Avira URL Cloud	malware
http://google.com	0%	Avira URL Cloud	safe
http://www.monotype.	0%	Avira URL Cloud	safe
newsddawork.3utilities.com	0%	Avira URL Cloud	safe
http://google.com	1%	Virustotal		Browse
maxlogs.webhop.me	12%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
newsddawork.3utilities.com	104.243.242.165	true	true		unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
maxlogs.webhop.me	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
newsddawork.3utilities.com	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com	fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.20.dr	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://google.com	MSBuild.exe, 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3087398590.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3096480105.0000000007790000.00000004.08000000.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp, fLNzmBM9hR.exe, 00000000.00000002.1676472894.0000000005FAB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.monotype.	fLNzmBM9hR.exe, 00000000.00000002.1676427170.0000000005F70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	fLNzmBM9hR.exe, 00000000.00000002.1673750956.0000000002A76000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.3081321042.0000000003241000.00000004.00000800.00020000.00000000.sdmp, dgKDUvhlvCiVpa.exe, 00000007.00000002.1695292378.0000000002B42000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	fLNzmBM9hR.exe, 00000000.00000002.1676512843.0000000007082000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.243.242.165	newsddawork.3utilities.com	United States		3223	VOXILITYGB	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1446518
Start date and time:	2024-05-23 15:46:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	fLNzmBM9hR.exe renamed because original name is a hash value
Original Sample Name:	14239732dbddfe922c297fdeac56a062.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@19/23@16/1
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 100% Number of executed functions: 106 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.19.244.127, 40.68.123.157, 93.184.221.240, 192.229.221.95, 13.95.31.18, 20.3.187.198, 40.126.32.140, 40.126.32.138, 40.126.32.136, 40.126.32.74, 20.190.160.14, 40.126.32.134, 20.190.160.20, 40.126.32.76, 20.42.65.92
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, prdv4a.aadg.msidentity.com, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target dnshost.exe, PID 7492 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:46:54	API Interceptor	1x Sleep call for process: fLNzmBM9hR.exe modified
09:46:55	API Interceptor	13x Sleep call for process: powershell.exe modified
09:46:56	API Interceptor	188792x Sleep call for process: MSBuild.exe modified
09:46:57	API Interceptor	1x Sleep call for process: dgKDUvhlvCiVpa.exe modified
09:49:18	API Interceptor	1x Sleep call for process: WerFault.exe modified
14:46:56	Task Scheduler	Run new task: dgKDUvhlvCiVpa path: C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe
14:47:00	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DNS Host C:\Program Files (x86)\DNS Host\dnshost.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	http://info.ipreo.com/Privacy-Policy.html	Get hash	malicious	Unknown	Browse	192.229.221.95
	RFQ for PR-10453180.exe	Get hash	malicious	AgentTesla	Browse	192.229.221.95
	http://chocolatefashiononline.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://lnk.sk/mzoy	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://lnk.sk/twr3	Get hash	malicious	Unknown	Browse	192.229.221.95
	Agent_Install.exe	Get hash	malicious	Jupyter	Browse	192.229.221.95
	Agent_Install.exe	Get hash	malicious	Jupyter	Browse	192.229.221.95
	https://url.uk.m.mimecastprotect.com/s/pk4ACO8rYSq23vcE1w2J	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://url2.mailanyone.net/scanner?m=1s75OW-00H93j-3q&d=4%7Cmail/90/1715743800/1s75OW-00H93j-3q%7Cin2g%7C57e1b682%7C28613012%7C14303582%7C66442D0C9DE45F67A799D66BCFD1EFF8&o=4pht8//7t:b4gbocxl8..rvkoruce.m&s=Jbo_JSeAXF_5NoSAMdVs1uNtYbw	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://g84qffhbb.cc.rs6.net/tn.jsp?f=001vOSSOENWSS4200uPNQEHjSDew4NbMuiPEfXAZZvLVpSmWUMPp8xPA1aAMxaun3grFaJ03lpVQAq0CnwEItgBCJ96l3XkhNonHD4qdyLoQ9nfNBhndHEDOsc5Zhc0NCidtDQvd1XijlCuZzhEm_iedfFzIAxsfdBF&c=&ch=	Get hash	malicious	Unknown	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VOXILITYGB	msimg32.dll	Get hash	malicious	Remcos	Browse	104.243.242.199
	DHL_Shipping_Invoice00000_pdf.exe	Get hash	malicious	Remcos	Browse	172.94.9.229
	z7DHL_AWB_Shipping0000000.vbs	Get hash	malicious	Remcos	Browse	172.94.9.229
	z93DHL_AWB_Shipping0000000.vbs	Get hash	malicious	Remcos	Browse	172.94.9.229
	PURCHASEORDERSHEET&SPECIFICATIONSDOC.exe	Get hash	malicious	GuLoader, Remcos	Browse	172.94.9.228
	uvaXiyELu9.elf	Get hash	malicious	Mirai	Browse	104.250.189.207
	https://operationalservice.com.bas-korae.com/w?cms=joerg.donner@daiichi-sankyo.de	Get hash	malicious	HTMLPhisher	Browse	185.171.187.163
	https://microsoftonlineservice.com.general-meel.xyz/w?cms=mr.been@uk.com	Get hash	malicious	HTMLPhisher	Browse	185.171.187.163
	bTf3.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse	172.111.139.95
	bTkg.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse	172.111.139.95

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\DNS Host\dnshost.exe	hesaphareketi_1.exe	Get hash	malicious	AgentTesla	Browse
	Dhl-SHIPPING DOCUMENTS_PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	INV_#501424.vbs	Get hash	malicious	XWorm	Browse
	detalle_transferencia_2024-05-13T064143.173 0200_3049280002017526_PDF.vbs	Get hash	malicious	AgentTesla	Browse
	COMPANY PROFILE_pdf.exe	Get hash	malicious	AgentTesla	Browse
	hesaphareketi-01.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Payment Reciept.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	SOA.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	SecuriteInfo.com.Win64.TrojanX-gen.5091.20328.exe	Get hash	malicious	Quasar	Browse
	SecuriteInfo.com.Win64.PWSX-gen.25316.31097.exe	Get hash	malicious	Clipboard Hijacker, XWorm, Xmrig	Browse

Created / dropped Files

C:\Program Files (x86)\DNS Host\dnshost.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	262432
Entropy (8bit):	6.179415524830389
Encrypted:	false
SSDEEP:	3072:7a0t0yH5wCwie3NnQNLpj/Wnqvsw2XpFU4rwOeTubZSzf02RFihx2uzj:m0ny3nnKpqnZRXfw702birr/
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
SHA1:	E6256A0159688F0560B015DA4D967F41CBF8C9BD
SHA-256:	ED9884BAC608C06B7057037CC91D90E4AE5F74DD2DBCE2AF476699C6D4492D82
SHA-512:	BD69D092ED4F9C5E1F24EAF5EC79FB316469D53849DC798FAE0FCBA5E90869B77EE924C23CC6F692198FF25827AB60AD47BB46CADD6E0AADDE7731CBAFB013BE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Joe Sandbox View:	Filename: hesaphareketi_1.exe, Detection: malicious, Browse Filename: Dhl-SHIPPING DOCUMENTS_PDF.exe, Detection: malicious, Browse Filename: INV_#501424.vbs, Detection: malicious, Browse Filename: detalle_transferencia_2024-05-13T064143.173 0200_3049280002017526_PDF.vbs, Detection: malicious, Browse Filename: COMPANY PROFILE_pdf.exe, Detection: malicious, Browse Filename: hesaphareketi-01.bat.exe, Detection: malicious, Browse Filename: Payment Reciept.exe, Detection: malicious, Browse Filename: SOA.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.TrojanX-gen.5091.20328.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.PWSX-gen.25316.31097.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.].........."...0..\|...B......:.... ........@.. ...............................L....`....................................O........>.............. A........................................................... ............... ..H............text...Xz... ...\|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B........................H........)...................\|...........................................{.......v.(=....r...p({...-..+..}........0..%........(....-......(z.....&..}..............................0..5........(....-...-.r+..ps>...z.....i(z.....&..}......................%......>....(?...(....N..(@....oA...(....:...(B...(....:...(C...(....*....(........0..G........(....,....(....-...}......r...p(x...&.(v.....}......&..}....................7.......0..f........-.r7..ps>...z .....

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MSBuild.exe_f553dd681214908324f05d7ad9ebff8e6dc2a494_1623435c_b407573d-7935-418a-89b8-f36dbc0c1682\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.223796834425182
Encrypted:	false
SSDEEP:	192:/ZtcOWM0MLLHzK1a60+mZjWFzuiFrZ24IO8q+:hFWHMHHu1aTjWFzuiFrY4IO8q+
MD5:	357C0CCE0D3985AA2727954EE45108F7
SHA1:	D026A0FE987268A96D2A5A7B4C187DB835A3633A
SHA-256:	EC831972621875F642E43FB578DF5E8A97C055EB38AD9FA4756B5D28491BC1A5
SHA-512:	F12188F1802143870F4D4657C27929BC328143DB26697566132E82336D6ACA279E1286BB4312E0D459A22642A7FCF811A0CDB8C44C47935E8278F1CEC7A9554C
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.0.9.4.5.7.1.1.0.5.1.6.6.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.0.9.4.5.7.4.4.6.7.6.6.7.1.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.4.0.7.5.7.3.d.-.7.9.3.5.-.4.1.8.a.-.8.9.b.8.-.f.3.6.d.b.c.0.c.1.6.8.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.9.8.7.8.7.a.6.-.d.1.d.5.-.4.a.8.d.-.8.0.c.7.-.7.7.7.1.9.6.0.8.b.1.f.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.S.B.u.i.l.d...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.S.B.u.i.l.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.6.4.-.0.0.0.1.-.0.0.1.4.-.c.2.5.5.-.d.8.a.c.1.7.a.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.e.6.2.5.6.a.0.1.5.9.6.8.8.f.0.5.6.0.b.0.1.5.d.a.4.d.9.6.7.f.4.1.c.b.f.8.c.9.b.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4924.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6312
Entropy (8bit):	3.72165219692252
Encrypted:	false
SSDEEP:	192:R6l7wVeJFJ6eKqpYaJLMeKDpDT89bp+sfeDm:R6lXJr6gYaJLUip9f7
MD5:	EEEB85974DBBC23CCE93DD4EBFA89487
SHA1:	96CB96E8648F1248533F19A6D4909B5BABC8EF27
SHA-256:	EF5F4F79E7B2B7A2082856BD8D2E0508778A92ADD6B0CBDBE0C3EB2C37A29B5E
SHA-512:	F3070DB2731B8BFB31554312AD3CB858FD9ECAF44E06E6ADB6179DF08FA8909489C3F1F039B559405D6489AEAF1D3286E2C3121CD3FA1B1A752800F35B8051D3
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4963.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4642
Entropy (8bit):	4.457652867901404
Encrypted:	false
SSDEEP:	48:cvIwWl8zs3Jg77aI9v0WpW8VYwYm8M4JL9HNkFtN+q8K9H368mLZd:uIjfZI75t7VYJhHUZHq8mLZd
MD5:	1F916E307E706C9B0C94258BCBECD419
SHA1:	121B704EAD94560A642B46937982371BEBA50891
SHA-256:	E006E0E05393ECA17C28711A9F49A9D9BA6F16479668399FC7F6719A413EF627
SHA-512:	E082CC4740D6FC1A4117074C4A7F086B1E4B8140476AF088BD5D8588E8E13BF738C5EF2A1C33E5180FCC30E3FA92EDA03D0D1A48B521F8F2FD2200FB063C10E4
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="335811" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6F3.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu May 23 13:49:04 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	1476983
Entropy (8bit):	4.74087256417849
Encrypted:	false
SSDEEP:	12288:ALK+E8ujJieh500XQ26z7roQvyDX9lx3TzqZdDoS:ALK+JjU2DVyjjlqZJoS
MD5:	4B2736E6A5D8F991649778399B3CE3F7
SHA1:	F5C0941BF1560D0AA725417F47AF793AAA475418
SHA-256:	E099A0036952B01300922613A243CEB751E78699BC9EE2486141EB1843DC4126
SHA-512:	E8CBAC1B9F406887DDDAFBA30DE4762902C831865C65AC69B2D595696F47B7D467D5316A3C5A7F55437B12CE9966B430ECD46F837FC6F7CA094C6BC613132E7C
Malicious:	false
Preview:	MDMP..a..... .......PIOf......................... ..........$....+.......;...r..........`.......8...........T...........pO...:...........+...........-..............................................................................eJ......l.......GenuineIntel............T.......d....HOf.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4x84qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHxviYHKh3oPtHo6hAHKzea
MD5:	7B709BC412BEC5C3CFD861C041DAD408
SHA1:	532EA6BB3018AE3B51E7A5788F614A6C49252BCF
SHA-256:	733765A1599E02C53826A4AE984426862AA714D8B67F889607153888D40BBD75
SHA-512:	B35CFE36A1A40123FDC8A5E7C804096FF33F070F40CBA5812B98F46857F30BA2CE6F86E1B5D20F9B6D00D6A8194B8FA36C27A0208C7886512877058872277963
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dgKDUvhlvCiVpa.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dnshost.exe.log

Download File

Process:	C:\Program Files (x86)\DNS Host\dnshost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1037
Entropy (8bit):	5.3594460201342535
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzervEE4xDqE4j:MxHKlYHKh3oPtHo6hAHKzervEHxDqHj
MD5:	DC4D693606B39967E81E3ED651DE35B3
SHA1:	F4E6ECCB66D4D9B66E726C6BBC089A704D25A707
SHA-256:	54E5F36B1A3F58D73B9AC2BCCFC976FE015A3772D584204FE4B2C47F77A61299
SHA-512:	5C6ADD09870F5A41302A4B70C3976BD2D1E8A9C8ED0D76AE7323D9A424DE3B6255ED30CF927103A59949F883833D4AC33381E7F7039729B686DE2E86B1013B17
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..2,"Microsoft.Build.Framework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build, Version=4.0.0.0, Culture=neutral,

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fLNzmBM9hR.exe.log

Download File

Process:	C:\Users\user\Desktop\fLNzmBM9hR.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379552885213346
Encrypted:	false
SSDEEP:	48:fWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//8M0Uyus:fLHxvCsIfA2KRHmOugw1s
MD5:	08C4BB62AB814866FFEF46F746CB9140
SHA1:	A24D7CCEC57571B1ADD96212CC8EB391982964E9
SHA-256:	BBF508C20A76CD57ADC1E12C9239C6A82F72BC034F3B01AF7F8C3FED34FE0A6B
SHA-512:	B69AA0C4455E7074715844071FE40CC5B4069D8D54AE37AC37762282AEEBEA04A2C3C3385B29ACB11FC8DA6A17D3C4F81BF6DF9AD3AEA3A7EC29255B7CE3D231
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bxf515li.ghq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hz5jt5ps.pz5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oiyaziqw.sfh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qgufgmvk.ob1.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp7751.tmp

Download File

Process:	C:\Users\user\Desktop\fLNzmBM9hR.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1580
Entropy (8bit):	5.117911636839531
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaXxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTMv
MD5:	43661420A9E8C8A3450703867941B585
SHA1:	D272D278848EC8D31F7BAE78428268F3EC223D9C
SHA-256:	B2B73C7B3CF1319EF0EF74D5627725B5D3AFAF1AD09AC8C667DEE9454D152D14
SHA-512:	0EF692B100A6E53026A807B32EC5AC56AD930E18C6EA38928A92E365D63712ACC371C073DAE0F7F7D2F0F7FF4D2CABEF0D7BD47E8E468526602914B08A432DE1
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp802A.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1580
Entropy (8bit):	5.117911636839531
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaXxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTMv
MD5:	43661420A9E8C8A3450703867941B585
SHA1:	D272D278848EC8D31F7BAE78428268F3EC223D9C
SHA-256:	B2B73C7B3CF1319EF0EF74D5627725B5D3AFAF1AD09AC8C667DEE9454D152D14
SHA-512:	0EF692B100A6E53026A807B32EC5AC56AD930E18C6EA38928A92E365D63712ACC371C073DAE0F7F7D2F0F7FF4D2CABEF0D7BD47E8E468526602914B08A432DE1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\catalog.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	data
Category:	modified
Size (bytes):	232
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
MD5:	9E7D0351E4DF94A9B0BADCEB6A9DB963
SHA1:	76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
SHA-256:	AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
SHA-512:	93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&

C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:3Lezn:3qz
MD5:	82EF622C4F77C9918DFD4E79A5B82611
SHA1:	EF864B01B934E1D7D10D5E186346315CA58CED76
SHA-256:	21C0096509897660A12ABC21DD3AF09D4F86B127A5AF581003EF586469EDB5C5
SHA-512:	9A642DE1035FAD646BC504106FBC51F9E1683E6B6916B79822C0A9CEABBC31A77AE3670F9A3F86B24EC3B81F4EF9A0CB4D2B492CE7E92144B60EBF328968F3CF
Malicious:	true
Preview:	..t..{.H

C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\storage.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	327768
Entropy (8bit):	7.999367066417797
Encrypted:	true
SSDEEP:	6144:oX44S90aTiB66x3PlZmqze1d1wI8lkWmtjJ/3Exi:LkjbU7LjGxi
MD5:	2E52F446105FBF828E63CF808B721F9C
SHA1:	5330E54F238F46DC04C1AC62B051DB4FCD7416FB
SHA-256:	2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
SHA-512:	C08BA0E3315E2314ECBEF38722DF834C2CB8412446A9A310F41A8F83B4AC5984FCC1B26A1D8B0D58A730FDBDD885714854BDFD04DCDF7F582FC125F552D5C3CA
Malicious:	false
Preview:	pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...\|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.).....{B.[...y%...i.Q.<..xt.X..H.. ..HF7g...I.3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.\|i4...i...;O...n.?.,. ....v?.5}.OY@.dG\|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...\|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`\|.B....3.....I..o...u1..8i=.z.W..7

C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe

Download File

Process:	C:\Users\user\Desktop\fLNzmBM9hR.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	641536
Entropy (8bit):	7.971308220324232
Encrypted:	false
SSDEEP:	12288:glYifTsdxUde52iuVHaARloUgtGuFxmwk2BUY0Yk/a7LG1N7DpA:PiYd5uVHaAlhgtfvBUYuqLG1JDW
MD5:	14239732DBDDFE922C297FDEAC56A062
SHA1:	3F4F6454C4A2C1C5D1E10D5F841CE14EEF00A785
SHA-256:	1805439355F48464312B4F9C0E16301C5F211C204E197C2000E7342C8DB95C00
SHA-512:	87125027FE82DF355F6461E540AFBEDC68372FF2B29EE1531D3C6F42144D993EE044B68488C8B0144CECD6C74CBD964F5445FEE19954167E2301FF19E9E3E628
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76% Antivirus: Virustotal, Detection: 75%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Kf..............0.................. ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......DF..`=......6........Q............................................r...p}.....r...p}.....(.....(.....(]...}....fr!..prQ..p.@.re..p(....&.r...p(....2r...p.(.....(........0..h........{....o`....+>.o....t......{....o..........%...%..oU....%..oY....=....o....&.o....-....u......,..o.............JV.......0...........{....o..... o........-.r...p(....&..+...1.r...p(....&...,..{....o....o.....{....o....o.....o....o....t......-.r)..p(....&.{....o....o.....{....o....o....

C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\fLNzmBM9hR.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466370557630878
Encrypted:	false
SSDEEP:	6144:tIXfpi67eLPU9skLmb0b4OWSPKaJG8nAgejZMMhA2gX4WABl0uNddwBCswSb+:+XD94OWlLZMM6YFH7++
MD5:	EEE0F2BC29539EE63523989B8E12066E
SHA1:	B035AC997F6FF907561C6CB74F28BBE0D11DC293
SHA-256:	4655BFC11EFBC95EC36DD9D33722994D50B6E6BE02DC16D0486BC85E710579F3
SHA-512:	E4E48F22DCCA8801FAA2577061D539D795DA8E6862D30D07C0A72616E5CC3777807168A4D8764AA75B17D1D39B869A4CEC7DA4D76A323B7581EFD1F79785394D
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmV,}...................................................................................................................................................................................................................................................................................................................................................k.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Program Files (x86)\DNS Host\dnshost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	298
Entropy (8bit):	4.924206445966445
Encrypted:	false
SSDEEP:	6:zx3M1tFAbQtASR30qyMstwYVoRRZBXVN+J0fFdCsq2UTiMdH8stCal+n:zK13P30ZMt9BFN+QdCT2UftCM+
MD5:	932782CF70ED00D22C0B08B5027B4E31
SHA1:	78F460A2155D9E819B8452C281285D7E0A7AC14F
SHA-256:	F2C2477FB3FD0A30F3D3D8637EF9C774B43E940043635DF90CDD804799A2ECE7
SHA-512:	C83E72797C03CABCAB066B95BAEEBB13944143846794061CF9482EA3B283979E470930047FDAE72A6F06F51F3127FF39DAAEFAAD7557E3AD49F590B9E7B78D24
Malicious:	false
Preview:	Microsoft (R) Build Engine version 4.8.4084.0..[Microsoft .NET Framework, version 4.0.30319.42000]..Copyright (C) Microsoft Corporation. All rights reserved.....MSBUILD : error MSB1003: Specify a project or solution file. The current working directory does not contain a project or solution file...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.971308220324232
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	fLNzmBM9hR.exe
File size:	641'536 bytes
MD5:	14239732dbddfe922c297fdeac56a062
SHA1:	3f4f6454c4a2c1c5d1e10d5f841ce14eef00a785
SHA256:	1805439355f48464312b4f9c0e16301c5f211c204e197c2000e7342c8db95c00
SHA512:	87125027fe82df355f6461e540afbedc68372ff2b29ee1531d3c6f42144d993ee044b68488c8b0144cecd6c74cbd964f5445fee19954167e2301ff19e9e3e628
SSDEEP:	12288:glYifTsdxUde52iuVHaARloUgtGuFxmwk2BUY0Yk/a7LG1N7DpA:PiYd5uVHaAlhgtfvBUYuqLG1JDW
TLSH:	32D423123B69C1FBCEAE66364003515927316C7A3C85EBCA0DD2A088CFF5F67726255B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Kf..............0.................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	d4c0aa9a96d6aa80

Static PE Info

General

Entrypoint:	0x49d50e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x664BF5A6 [Tue May 21 01:15:18 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9d4bc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9e000	0xebc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9b514	0x9b600	f46d87e626b1be8230d06841606bb515	False	0.969926903157683	data	7.9781458639858265	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x9e000	0xebc	0x1000	8d018facc40c64a08fbd2da18c520755	False	0.684326171875	data	6.420705935291826	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa0000	0xc	0x200	b40622e1ba3fec8862511b8db1f35945	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x9e0c8	0xb84	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.8253052917232022
RT_GROUP_ICON	0x9ec5c	0x14	data	1.05
RT_VERSION	0x9ec80	0x236	data	0.4876325088339223

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/23/24-15:47:18.239422	TCP	2046914	ET TROJAN NanoCore RAT CnC 7	49744	1620	192.168.2.4	104.243.242.165
05/23/24-15:47:30.409016	TCP	2046914	ET TROJAN NanoCore RAT CnC 7	49746	1620	192.168.2.4	104.243.242.165
05/23/24-15:47:49.518159	TCP	2046914	ET TROJAN NanoCore RAT CnC 7	49749	1620	192.168.2.4	104.243.242.165
05/23/24-15:47:36.408636	TCP	2046914	ET TROJAN NanoCore RAT CnC 7	49747	1620	192.168.2.4	104.243.242.165
05/23/24-15:48:01.127491	TCP	2046914	ET TROJAN NanoCore RAT CnC 7	49752	1620	192.168.2.4	104.243.242.165
05/23/24-15:47:04.830476	TCP	2046914	ET TROJAN NanoCore RAT CnC 7	49736	1620	192.168.2.4	104.243.242.165
05/23/24-15:46:58.783649	TCP	2046914	ET TROJAN NanoCore RAT CnC 7	49732	1620	192.168.2.4	104.243.242.165
05/23/24-15:47:50.030323	TCP	2046917	ET TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	1620	49749	104.243.242.165	192.168.2.4
05/23/24-15:47:29.411754	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49746	1620	192.168.2.4	104.243.242.165
05/23/24-15:47:24.267940	TCP	2046914	ET TROJAN NanoCore RAT CnC 7	49745	1620	192.168.2.4	104.243.242.165
05/23/24-15:47:45.326170	TCP	2046909	ET TROJAN NanoCore RAT Keepalive Response 1	1620	49748	104.243.242.165	192.168.2.4
05/23/24-15:47:43.543709	TCP	2046914	ET TROJAN NanoCore RAT CnC 7	49748	1620	192.168.2.4	104.243.242.165
05/23/24-15:47:55.533842	TCP	2046914	ET TROJAN NanoCore RAT CnC 7	49751	1620	192.168.2.4	104.243.242.165
05/23/24-15:47:12.142968	TCP	2046914	ET TROJAN NanoCore RAT CnC 7	49737	1620	192.168.2.4	104.243.242.165

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 23, 2024 15:46:50.939971924 CEST	49675	443	192.168.2.4	173.222.162.32
May 23, 2024 15:46:56.903606892 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:56.908595085 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:56.908658981 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:56.914242983 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:56.959625006 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:57.768512011 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:57.773493052 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:57.832843065 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:57.834352970 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:57.839268923 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.361650944 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.369055033 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:58.374130011 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.744425058 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.745539904 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.745610952 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:58.748265982 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.750996113 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.751007080 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.751045942 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:58.756462097 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.756513119 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:58.759226084 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.759237051 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.759279013 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:58.764681101 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.766556978 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.766567945 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.766618967 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:58.783648968 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:58.815447092 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.815527916 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:58.820601940 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.971704006 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.972706079 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.972862005 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:58.975020885 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.975030899 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.975080013 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:58.979667902 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.979680061 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.979732990 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:58.985949039 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.985959053 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.986167908 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:58.988961935 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.988970995 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.988979101 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.989027023 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:58.992667913 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.992676973 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.992723942 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:58.995982885 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.995995045 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.996002913 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.996035099 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:58.996068001 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:58.999279022 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.999289036 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.999296904 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:58.999345064 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.002573013 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.002583981 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.002590895 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.002615929 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.002646923 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.198431015 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.200050116 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.200062037 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.200120926 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.200946093 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.201005936 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.202755928 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.202790976 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.202843904 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.204437971 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.204472065 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.204524040 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.207850933 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.207866907 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.207879066 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.207920074 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.211270094 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.211323977 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.212656975 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.212667942 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.212677002 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.212708950 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.215445995 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.215457916 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.215493917 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.218193054 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.218204021 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.218241930 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.221021891 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.221034050 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.221041918 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.221066952 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.221096992 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.223695993 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.223706961 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.223750114 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.225971937 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.225984097 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.226027012 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.228297949 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.228308916 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.228351116 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.230489969 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.230500937 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.230509043 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.230541945 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.232724905 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.232734919 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.232770920 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.234970093 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.234981060 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.235021114 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.237304926 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.237338066 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.237365007 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.239453077 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.239485025 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.239516020 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.241476059 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.241509914 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.241538048 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.241540909 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.241594076 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.290843010 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.343672037 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.343831062 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.428143024 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.428656101 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.428833961 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.429689884 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.429701090 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.429774046 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.432128906 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.432140112 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.432276964 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.434098005 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.434108973 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.434117079 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.434237003 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.436347008 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.436357975 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.436420918 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.438560963 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.438575983 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.438709974 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.440287113 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.440298080 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.440361023 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.442051888 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.442063093 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.442071915 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.442133904 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.442133904 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.443787098 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.443798065 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.443857908 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.445604086 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.445615053 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.445713043 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.447354078 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.447365046 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.447413921 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.449522018 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.449554920 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.449613094 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.455202103 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.455216885 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.455224991 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.455298901 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.455408096 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.455418110 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.455490112 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.456629992 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.456662893 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.456698895 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.457586050 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.457618952 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.457653999 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.459141016 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.459175110 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.459206104 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.459208012 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.459295034 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.461313963 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.461349010 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.461427927 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.462362051 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.462394953 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.462459087 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.463907003 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.463941097 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.464056969 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.465441942 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.465454102 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.465517044 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.467041016 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.467051983 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.467060089 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.467139959 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.468631029 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.468641996 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.468704939 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.470232010 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.470242977 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.470299959 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.471782923 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.471793890 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.471983910 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.472944021 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.472954035 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.472963095 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.473175049 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.474102020 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.518071890 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.518104076 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.518357038 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.518591881 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.518929005 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.518939018 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.519005060 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.519535065 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.519546032 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.519632101 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.520720005 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.520730019 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.520864964 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.521884918 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.521894932 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.522169113 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.523049116 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.523058891 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.523066998 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.523111105 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.524205923 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.524215937 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.524280071 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.655566931 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.655720949 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.656500101 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.657361031 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.657393932 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.657444954 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.657947063 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.657980919 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.658020020 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.660023928 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.660135031 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.660195112 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.660229921 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.660262108 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.660784006 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.661998987 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.663192034 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.663228989 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.663259029 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.663275957 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.663460970 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.664211988 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.664246082 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.664278030 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.664313078 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.664705038 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.665234089 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.665268898 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.665324926 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.666441917 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.666475058 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.666527987 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.666569948 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.667614937 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.667648077 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.667740107 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.668776035 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.668808937 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.668839931 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.668845892 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.668941021 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.669926882 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.669960022 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.670114040 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.671087027 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.671119928 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.671295881 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.672241926 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.672275066 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.673455954 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.673490047 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.673521042 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.673525095 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.673563004 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.674560070 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.674640894 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.674715996 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.675673008 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.675707102 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.675743103 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.676732063 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.676764965 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.676829100 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.677721977 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.677755117 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.677788973 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.678812981 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.678845882 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.678877115 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.678880930 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.678939104 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.679815054 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.679847956 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.680187941 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.680761099 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.680794001 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.680984974 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.681477070 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.681509018 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.681870937 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.682440996 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.682473898 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.682691097 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.683353901 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.683387041 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.684113026 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.684297085 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.684329987 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.685226917 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.685261011 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.685265064 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.685292006 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.685378075 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.686099052 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.686424017 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.686703920 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.686925888 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.686959028 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.686995983 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.687717915 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.688131094 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.688163996 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.688246965 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.688981056 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.689014912 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.689109087 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.690083027 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.690119982 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.693528891 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.693562984 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.693810940 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.694137096 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.694169998 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.694950104 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.699031115 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.699080944 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.699112892 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.699120998 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.699146986 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.699177980 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.699182987 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.699235916 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.701828957 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.701862097 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.701992035 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.702300072 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.702333927 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.702393055 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.703047991 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.703082085 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.703236103 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.703937054 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.703969955 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.704952955 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.704986095 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.705017090 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.705022097 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.705050945 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.705523968 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.705557108 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.705593109 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.706315994 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.706348896 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.706386089 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.707138062 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.707170010 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.707209110 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.707962990 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.707995892 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.708028078 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.708034039 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.708411932 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.708774090 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.708806038 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.709424973 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.709582090 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.709614992 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.709788084 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.710391045 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.710422993 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.710900068 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.711169004 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.745090961 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.745435953 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.745601892 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.745645046 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.745706081 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.746033907 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.746454000 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.746469975 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.746498108 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.746646881 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.747200012 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.747591972 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.747610092 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.747706890 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.748003006 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.748018980 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.748100996 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.748869896 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.748975992 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.749187946 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.749593019 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.749608994 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.749641895 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.749660969 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.749764919 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.750344038 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.750794888 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.750811100 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.751115084 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.751528025 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.751857042 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.751873016 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.751887083 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.751887083 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.751904011 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.751935959 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.752002001 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.752784014 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.752799988 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.752813101 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.752880096 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.785156965 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:46:59.798696995 CEST	1620	49732	104.243.242.165	192.168.2.4
May 23, 2024 15:46:59.798768044 CEST	49732	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:00.549215078 CEST	49675	443	192.168.2.4	173.222.162.32
May 23, 2024 15:47:03.811220884 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:03.816180944 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:03.816560984 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:03.816560984 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:03.875735044 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:03.876035929 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:03.881170034 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:04.735028028 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:04.735368013 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:04.740535021 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:04.830476046 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:04.835459948 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.230859041 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.233870983 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:05.239038944 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.602758884 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.603981018 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.606705904 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:05.606909037 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.609870911 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.609884024 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.609891891 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.609972954 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:05.609972954 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:05.615745068 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.615757942 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.615906000 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:05.618663073 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.618671894 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.618725061 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:05.624485016 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.624495983 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.624504089 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.624615908 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:05.628536940 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.628612041 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:05.675381899 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.675556898 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:05.827423096 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.828589916 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.828757048 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:05.830519915 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:05.831367970 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.831449986 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:05.833678007 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.833688021 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.833739042 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:05.833993912 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:05.838745117 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.838839054 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:05.841409922 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.841422081 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.841520071 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:05.846431971 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.846442938 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.846451044 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.846510887 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:05.846510887 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:05.850774050 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.850785017 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.850846052 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:05.854057074 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.854068041 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.854125023 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:05.857660055 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.857683897 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.857770920 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:05.861232042 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.861243963 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.861311913 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:05.864721060 CEST	1620	49736	104.243.242.165	192.168.2.4
May 23, 2024 15:47:05.864810944 CEST	49736	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:10.162365913 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:10.170614958 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:10.170707941 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:10.177953959 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:10.223576069 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:11.101604939 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:11.112829924 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:11.117918015 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:11.142960072 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:11.147850037 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:11.428904057 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:11.433749914 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:11.438847065 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:11.978936911 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:11.979760885 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:11.979830980 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:11.982309103 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:11.983582973 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:11.983614922 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:11.983697891 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:11.987353086 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:11.987411022 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:11.989257097 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:11.989268064 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:11.989275932 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:11.989330053 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:11.993040085 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:11.993050098 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:11.993088961 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:11.994929075 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:11.994940042 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:11.994980097 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.026680946 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.026722908 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.142967939 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.162178040 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.212218046 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.213030100 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.213073015 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.214941025 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.216875076 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.216886997 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.216922045 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.220666885 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.220707893 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.222562075 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.222570896 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.222605944 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.226345062 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.226355076 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.226361990 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.226385117 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.230144978 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.230154991 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.230190992 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.234694958 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.234724045 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.234762907 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.238661051 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.238671064 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.238712072 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.241528988 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.241539955 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.241575956 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.245348930 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.245372057 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.245379925 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.245491028 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.245491028 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.435900927 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.436642885 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.436723948 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.438463926 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.441495895 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.441529989 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.441559076 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.441561937 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.441705942 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.444237947 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.446156979 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.446190119 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.446216106 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.449997902 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.450031042 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.450056076 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.450064898 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.450119972 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.454746008 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.454780102 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.454840899 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.456912994 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.456990957 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.457046986 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.459985971 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.460019112 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.460050106 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.460078955 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.463001013 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.463035107 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.463078976 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.466118097 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.466150045 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.466181993 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.466185093 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.466238022 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.472366095 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.472398996 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.472429991 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.472461939 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.472484112 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.472523928 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.474881887 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.474915028 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.474967003 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.477634907 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.477669001 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.477725029 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.482347012 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.482378960 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.482410908 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.482537985 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.525008917 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.525152922 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.525681019 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.527115107 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.527160883 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.528498888 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.528532982 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.528563976 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.528582096 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.531290054 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.531327009 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.531348944 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.534074068 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.534106970 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.534126997 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.536875010 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.536907911 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.536938906 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.538026094 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.538058996 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.538086891 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.580409050 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.672511101 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.673090935 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.673295021 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.674330950 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.675693989 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.675709009 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.675858021 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.678327084 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.678489923 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.679678917 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.679694891 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.679708958 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.679851055 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.682337999 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.682353973 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.682384014 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.685117006 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.685132027 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.685146093 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.685225964 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.685226917 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.687119007 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.687134981 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.687295914 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.689251900 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.689266920 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.691395044 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.691411018 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.691926003 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.691926956 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.693568945 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.693584919 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.693598986 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.693649054 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.695616961 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.695632935 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.695663929 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.697568893 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.697585106 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.697634935 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.699517965 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.699533939 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.699589968 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.701421976 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.701438904 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.701478958 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.703270912 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.703286886 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.703300953 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.703321934 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.703353882 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.705135107 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.705162048 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.705200911 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.706818104 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.706834078 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.706885099 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.708512068 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.708528042 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.708686113 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.710153103 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.710169077 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.710182905 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.710218906 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.711786985 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.711802006 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.711831093 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.713376999 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.713392973 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.713428974 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.714905977 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.714921951 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.714955091 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.716619968 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.716635942 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.716672897 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.717853069 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.717868090 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.717883110 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.717897892 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.718046904 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.719278097 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.719294071 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.719459057 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.721005917 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.721020937 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.721072912 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.722065926 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.722081900 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.722148895 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.724066973 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.724081993 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.724097013 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.724138975 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.724668980 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.724684954 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.724710941 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.763828993 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.763889074 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.764275074 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.764872074 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.765027046 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.766525984 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.766542912 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.766601086 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.767267942 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.767966986 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.767982960 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.768043995 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.769438982 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.769455910 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.769470930 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.769511938 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.769545078 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.770935059 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.770951033 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.771011114 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.772443056 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.772459030 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.772516012 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.773621082 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.773637056 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.773688078 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.774944067 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.774960041 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.775012970 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.776048899 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.776067019 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.776081085 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.776113987 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.777404070 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.777420998 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.777432919 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.777463913 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.777498007 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.900353909 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.902947903 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.903105974 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.903239965 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.903255939 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.903302908 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.903899908 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.904555082 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.904568911 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.904592991 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.905250072 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.905266047 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.905308962 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.906616926 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.906680107 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.907244921 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.907962084 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.907978058 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.908010006 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.909379005 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.909394979 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.909420967 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.910679102 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.910695076 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.910707951 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.910743952 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.910768032 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.911672115 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.911686897 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.911750078 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.912772894 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.912787914 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.912827015 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.913856030 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.913867950 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.913919926 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.914912939 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.914925098 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.914933920 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.914977074 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.915987015 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.916022062 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.916043997 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.917090893 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.917136908 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.917154074 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.918138981 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.918174028 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.918210983 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.919111967 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.919147015 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.919169903 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.920094967 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.920129061 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.920152903 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.920181990 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.920692921 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.921078920 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.921114922 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.921165943 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.921996117 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.922012091 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.922060966 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.922867060 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.922883034 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.922934055 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.923748970 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.923764944 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.923778057 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.923824072 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.924634933 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.924649954 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.924699068 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.925501108 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.925517082 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.925546885 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.926368952 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.926383972 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.926409006 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.927211046 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.927227020 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.927257061 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.928060055 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.928073883 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.928083897 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.928098917 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.928128958 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.928886890 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.928900957 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.928934097 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.929703951 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.929717064 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.929757118 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.930500984 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.930514097 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.930576086 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.931335926 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.931349039 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.931360006 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.931404114 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.932022095 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.932034969 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.932074070 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.932800055 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.932812929 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.932852030 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.933532000 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.933545113 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.933583975 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.934278011 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.934290886 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.934328079 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.934956074 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.934967995 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.934978962 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.935012102 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.935020924 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.935672045 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.935683012 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.935734987 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.936373949 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.936386108 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.936429977 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.937060118 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.937072039 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.937141895 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.937755108 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.937767029 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.937777042 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.937812090 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.938441038 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.938453913 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.938486099 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.939132929 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.939143896 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.939152956 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.939183950 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.939213991 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.940114975 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.940143108 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.940151930 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.940185070 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.941072941 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.941085100 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.941096067 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.941107035 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.941117048 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.941163063 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.942090988 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.942102909 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.942114115 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.942145109 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.942172050 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.942954063 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.942965031 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.942975044 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.943001986 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.943870068 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.943881989 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.943892002 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.943903923 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.943918943 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.943943977 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.944735050 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.944746971 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.944756031 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.944772005 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.944798946 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.983042955 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.983130932 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.992100000 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.992151976 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.992428064 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.992572069 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.992661953 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.992714882 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.993019104 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.993056059 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.993091106 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.993113041 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.993578911 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.993616104 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.993673086 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.993943930 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.993978977 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.994002104 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.994034052 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.994071960 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.994117975 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.994823933 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.994859934 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.994883060 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.995443106 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.995476007 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.995520115 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:12.995812893 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:12.995863914 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:13.035006046 CEST	1620	49737	104.243.242.165	192.168.2.4
May 23, 2024 15:47:13.035165071 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:13.174303055 CEST	49737	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:17.202248096 CEST	49744	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:17.207397938 CEST	1620	49744	104.243.242.165	192.168.2.4
May 23, 2024 15:47:17.207506895 CEST	49744	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:17.210441113 CEST	49744	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:17.264275074 CEST	1620	49744	104.243.242.165	192.168.2.4
May 23, 2024 15:47:17.264354944 CEST	49744	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:17.275005102 CEST	1620	49744	104.243.242.165	192.168.2.4
May 23, 2024 15:47:18.127584934 CEST	1620	49744	104.243.242.165	192.168.2.4
May 23, 2024 15:47:18.127809048 CEST	49744	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:18.133987904 CEST	1620	49744	104.243.242.165	192.168.2.4
May 23, 2024 15:47:18.239422083 CEST	49744	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:18.244615078 CEST	1620	49744	104.243.242.165	192.168.2.4
May 23, 2024 15:47:18.449552059 CEST	1620	49744	104.243.242.165	192.168.2.4
May 23, 2024 15:47:18.452658892 CEST	49744	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:18.457773924 CEST	1620	49744	104.243.242.165	192.168.2.4
May 23, 2024 15:47:19.170419931 CEST	1620	49744	104.243.242.165	192.168.2.4
May 23, 2024 15:47:19.179037094 CEST	49744	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:19.184448957 CEST	1620	49744	104.243.242.165	192.168.2.4
May 23, 2024 15:47:19.236716032 CEST	49744	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:23.264291048 CEST	49745	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:23.272474051 CEST	1620	49745	104.243.242.165	192.168.2.4
May 23, 2024 15:47:23.275222063 CEST	49745	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:23.275466919 CEST	49745	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:23.327725887 CEST	1620	49745	104.243.242.165	192.168.2.4
May 23, 2024 15:47:24.180377007 CEST	1620	49745	104.243.242.165	192.168.2.4
May 23, 2024 15:47:24.180535078 CEST	49745	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:24.242069006 CEST	1620	49745	104.243.242.165	192.168.2.4
May 23, 2024 15:47:24.267940044 CEST	49745	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:24.272964001 CEST	1620	49745	104.243.242.165	192.168.2.4
May 23, 2024 15:47:24.499161005 CEST	1620	49745	104.243.242.165	192.168.2.4
May 23, 2024 15:47:24.503443003 CEST	49745	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:24.508547068 CEST	1620	49745	104.243.242.165	192.168.2.4
May 23, 2024 15:47:25.283638000 CEST	49745	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:29.313409090 CEST	49746	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:29.319353104 CEST	1620	49746	104.243.242.165	192.168.2.4
May 23, 2024 15:47:29.319434881 CEST	49746	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:29.319713116 CEST	49746	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:29.371620893 CEST	1620	49746	104.243.242.165	192.168.2.4
May 23, 2024 15:47:29.411753893 CEST	49746	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:29.417155027 CEST	1620	49746	104.243.242.165	192.168.2.4
May 23, 2024 15:47:30.409015894 CEST	49746	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:30.415963888 CEST	1620	49746	104.243.242.165	192.168.2.4
May 23, 2024 15:47:30.754959106 CEST	1620	49746	104.243.242.165	192.168.2.4
May 23, 2024 15:47:30.757483006 CEST	49746	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:30.765265942 CEST	1620	49746	104.243.242.165	192.168.2.4
May 23, 2024 15:47:31.267353058 CEST	1620	49746	104.243.242.165	192.168.2.4
May 23, 2024 15:47:31.270908117 CEST	49746	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:31.276050091 CEST	1620	49746	104.243.242.165	192.168.2.4
May 23, 2024 15:47:31.411976099 CEST	49746	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:35.438945055 CEST	49747	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:35.444530010 CEST	1620	49747	104.243.242.165	192.168.2.4
May 23, 2024 15:47:35.446358919 CEST	49747	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:35.446618080 CEST	49747	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:35.499716043 CEST	1620	49747	104.243.242.165	192.168.2.4
May 23, 2024 15:47:36.367651939 CEST	1620	49747	104.243.242.165	192.168.2.4
May 23, 2024 15:47:36.367944002 CEST	49747	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:36.373285055 CEST	1620	49747	104.243.242.165	192.168.2.4
May 23, 2024 15:47:36.408636093 CEST	49747	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:36.414287090 CEST	1620	49747	104.243.242.165	192.168.2.4
May 23, 2024 15:47:36.683768988 CEST	1620	49747	104.243.242.165	192.168.2.4
May 23, 2024 15:47:36.686791897 CEST	49747	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:36.692066908 CEST	1620	49747	104.243.242.165	192.168.2.4
May 23, 2024 15:47:37.408633947 CEST	49747	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:41.458394051 CEST	49748	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:41.463964939 CEST	1620	49748	104.243.242.165	192.168.2.4
May 23, 2024 15:47:41.465385914 CEST	49748	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:41.467838049 CEST	49748	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:41.523691893 CEST	1620	49748	104.243.242.165	192.168.2.4
May 23, 2024 15:47:42.398086071 CEST	1620	49748	104.243.242.165	192.168.2.4
May 23, 2024 15:47:42.398350000 CEST	49748	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:42.403836012 CEST	1620	49748	104.243.242.165	192.168.2.4
May 23, 2024 15:47:42.411065102 CEST	49748	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:42.416297913 CEST	1620	49748	104.243.242.165	192.168.2.4
May 23, 2024 15:47:42.718206882 CEST	1620	49748	104.243.242.165	192.168.2.4
May 23, 2024 15:47:42.767899036 CEST	49748	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:42.996392012 CEST	49748	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:43.002321959 CEST	1620	49748	104.243.242.165	192.168.2.4
May 23, 2024 15:47:43.543709040 CEST	49748	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:43.564888954 CEST	1620	49748	104.243.242.165	192.168.2.4
May 23, 2024 15:47:43.581459999 CEST	1620	49748	104.243.242.165	192.168.2.4
May 23, 2024 15:47:43.582129002 CEST	49748	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:43.630825043 CEST	1620	49748	104.243.242.165	192.168.2.4
May 23, 2024 15:47:43.850511074 CEST	1620	49748	104.243.242.165	192.168.2.4
May 23, 2024 15:47:43.858762026 CEST	49748	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:43.867815018 CEST	1620	49748	104.243.242.165	192.168.2.4
May 23, 2024 15:47:43.875381947 CEST	49748	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:43.882566929 CEST	1620	49748	104.243.242.165	192.168.2.4
May 23, 2024 15:47:43.935213089 CEST	49748	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:43.940742016 CEST	1620	49748	104.243.242.165	192.168.2.4
May 23, 2024 15:47:44.502428055 CEST	49748	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:45.321415901 CEST	1620	49748	104.243.242.165	192.168.2.4
May 23, 2024 15:47:45.321522951 CEST	49748	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:45.326105118 CEST	1620	49748	104.243.242.165	192.168.2.4
May 23, 2024 15:47:45.326141119 CEST	1620	49748	104.243.242.165	192.168.2.4
May 23, 2024 15:47:45.326169968 CEST	1620	49748	104.243.242.165	192.168.2.4
May 23, 2024 15:47:45.326195955 CEST	49748	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:45.326199055 CEST	1620	49748	104.243.242.165	192.168.2.4
May 23, 2024 15:47:45.326217890 CEST	49748	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:45.326258898 CEST	49748	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:48.528609991 CEST	49749	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:48.534073114 CEST	1620	49749	104.243.242.165	192.168.2.4
May 23, 2024 15:47:48.534372091 CEST	49749	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:48.534467936 CEST	49749	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:48.587671995 CEST	1620	49749	104.243.242.165	192.168.2.4
May 23, 2024 15:47:49.486444950 CEST	1620	49749	104.243.242.165	192.168.2.4
May 23, 2024 15:47:49.486815929 CEST	49749	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:49.492357016 CEST	1620	49749	104.243.242.165	192.168.2.4
May 23, 2024 15:47:49.518158913 CEST	49749	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:49.523649931 CEST	1620	49749	104.243.242.165	192.168.2.4
May 23, 2024 15:47:49.807678938 CEST	1620	49749	104.243.242.165	192.168.2.4
May 23, 2024 15:47:49.810935020 CEST	49749	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:49.816504002 CEST	1620	49749	104.243.242.165	192.168.2.4
May 23, 2024 15:47:50.030323029 CEST	1620	49749	104.243.242.165	192.168.2.4
May 23, 2024 15:47:50.080488920 CEST	49749	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:50.465336084 CEST	1620	49749	104.243.242.165	192.168.2.4
May 23, 2024 15:47:50.470988989 CEST	49749	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:50.476274967 CEST	1620	49749	104.243.242.165	192.168.2.4
May 23, 2024 15:47:50.517966986 CEST	49749	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:54.547784090 CEST	49751	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:54.631256104 CEST	1620	49751	104.243.242.165	192.168.2.4
May 23, 2024 15:47:54.635293007 CEST	49751	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:54.635411978 CEST	49751	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:54.687359095 CEST	1620	49751	104.243.242.165	192.168.2.4
May 23, 2024 15:47:55.533842087 CEST	49751	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:55.539191961 CEST	1620	49751	104.243.242.165	192.168.2.4
May 23, 2024 15:47:55.596565008 CEST	1620	49751	104.243.242.165	192.168.2.4
May 23, 2024 15:47:55.596848965 CEST	49751	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:55.602029085 CEST	1620	49751	104.243.242.165	192.168.2.4
May 23, 2024 15:47:56.123275042 CEST	1620	49751	104.243.242.165	192.168.2.4
May 23, 2024 15:47:56.126136065 CEST	49751	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:47:56.131248951 CEST	1620	49751	104.243.242.165	192.168.2.4
May 23, 2024 15:47:56.604248047 CEST	49751	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:00.766799927 CEST	49752	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:00.784782887 CEST	1620	49752	104.243.242.165	192.168.2.4
May 23, 2024 15:48:00.784863949 CEST	49752	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:00.788073063 CEST	49752	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:00.839695930 CEST	1620	49752	104.243.242.165	192.168.2.4
May 23, 2024 15:48:01.127490997 CEST	49752	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:01.132678032 CEST	1620	49752	104.243.242.165	192.168.2.4
May 23, 2024 15:48:01.694525003 CEST	1620	49752	104.243.242.165	192.168.2.4
May 23, 2024 15:48:01.694864035 CEST	49752	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:01.703577042 CEST	1620	49752	104.243.242.165	192.168.2.4
May 23, 2024 15:48:02.017055035 CEST	1620	49752	104.243.242.165	192.168.2.4
May 23, 2024 15:48:02.020348072 CEST	49752	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:02.025405884 CEST	1620	49752	104.243.242.165	192.168.2.4
May 23, 2024 15:48:02.127386093 CEST	49752	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:06.152338982 CEST	49753	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:06.157289028 CEST	1620	49753	104.243.242.165	192.168.2.4
May 23, 2024 15:48:06.157366037 CEST	49753	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:06.158972025 CEST	49753	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:06.211869955 CEST	1620	49753	104.243.242.165	192.168.2.4
May 23, 2024 15:48:07.088720083 CEST	1620	49753	104.243.242.165	192.168.2.4
May 23, 2024 15:48:07.091379881 CEST	49753	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:07.105093002 CEST	1620	49753	104.243.242.165	192.168.2.4
May 23, 2024 15:48:07.127441883 CEST	49753	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:08.281095028 CEST	49723	80	192.168.2.4	2.19.126.151
May 23, 2024 15:48:08.281142950 CEST	49724	80	192.168.2.4	199.232.210.172
May 23, 2024 15:48:08.286562920 CEST	80	49723	2.19.126.151	192.168.2.4
May 23, 2024 15:48:08.286621094 CEST	49723	80	192.168.2.4	2.19.126.151
May 23, 2024 15:48:08.354641914 CEST	80	49724	199.232.210.172	192.168.2.4
May 23, 2024 15:48:08.354691982 CEST	49724	80	192.168.2.4	199.232.210.172
May 23, 2024 15:48:11.153709888 CEST	49754	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:11.158685923 CEST	1620	49754	104.243.242.165	192.168.2.4
May 23, 2024 15:48:11.158759117 CEST	49754	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:11.158993959 CEST	49754	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:11.211374044 CEST	1620	49754	104.243.242.165	192.168.2.4
May 23, 2024 15:48:12.072204113 CEST	1620	49754	104.243.242.165	192.168.2.4
May 23, 2024 15:48:12.072532892 CEST	49754	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:12.091558933 CEST	1620	49754	104.243.242.165	192.168.2.4
May 23, 2024 15:48:12.127233028 CEST	49754	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:16.181690931 CEST	49755	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:16.186816931 CEST	1620	49755	104.243.242.165	192.168.2.4
May 23, 2024 15:48:16.186886072 CEST	49755	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:16.187278032 CEST	49755	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:16.239957094 CEST	1620	49755	104.243.242.165	192.168.2.4
May 23, 2024 15:48:17.111100912 CEST	1620	49755	104.243.242.165	192.168.2.4
May 23, 2024 15:48:17.173995018 CEST	49755	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:17.376071930 CEST	49755	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:17.385288000 CEST	1620	49755	104.243.242.165	192.168.2.4
May 23, 2024 15:48:17.694500923 CEST	1620	49755	104.243.242.165	192.168.2.4
May 23, 2024 15:48:17.736491919 CEST	49755	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:18.047435045 CEST	49755	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:18.058856010 CEST	1620	49755	104.243.242.165	192.168.2.4
May 23, 2024 15:48:18.058892012 CEST	49755	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:18.058917999 CEST	49755	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:22.077156067 CEST	49756	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:22.083285093 CEST	1620	49756	104.243.242.165	192.168.2.4
May 23, 2024 15:48:22.083534956 CEST	49756	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:22.083801985 CEST	49756	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:22.138705969 CEST	1620	49756	104.243.242.165	192.168.2.4
May 23, 2024 15:48:23.018610954 CEST	1620	49756	104.243.242.165	192.168.2.4
May 23, 2024 15:48:23.018762112 CEST	49756	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:23.023634911 CEST	1620	49756	104.243.242.165	192.168.2.4
May 23, 2024 15:48:23.087697029 CEST	49756	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:27.108050108 CEST	49757	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:27.112974882 CEST	1620	49757	104.243.242.165	192.168.2.4
May 23, 2024 15:48:27.113029957 CEST	49757	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:27.113260984 CEST	49757	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:27.163258076 CEST	1620	49757	104.243.242.165	192.168.2.4
May 23, 2024 15:48:28.015703917 CEST	1620	49757	104.243.242.165	192.168.2.4
May 23, 2024 15:48:28.016149998 CEST	49757	1620	192.168.2.4	104.243.242.165
May 23, 2024 15:48:28.021039009 CEST	1620	49757	104.243.242.165	192.168.2.4
May 23, 2024 15:48:28.096065044 CEST	49757	1620	192.168.2.4	104.243.242.165

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 23, 2024 15:46:56.876147985 CEST	60518	53	192.168.2.4	8.8.8.8
May 23, 2024 15:46:56.885766029 CEST	53	60518	8.8.8.8	192.168.2.4
May 23, 2024 15:47:03.801042080 CEST	54990	53	192.168.2.4	8.8.8.8
May 23, 2024 15:47:03.810233116 CEST	53	54990	8.8.8.8	192.168.2.4
May 23, 2024 15:47:10.144380093 CEST	51559	53	192.168.2.4	8.8.8.8
May 23, 2024 15:47:10.159089088 CEST	53	51559	8.8.8.8	192.168.2.4
May 23, 2024 15:47:17.191318989 CEST	61694	53	192.168.2.4	8.8.8.8
May 23, 2024 15:47:17.201508999 CEST	53	61694	8.8.8.8	192.168.2.4
May 23, 2024 15:47:23.253621101 CEST	59576	53	192.168.2.4	8.8.8.8
May 23, 2024 15:47:23.263489962 CEST	53	59576	8.8.8.8	192.168.2.4
May 23, 2024 15:47:29.300508976 CEST	60025	53	192.168.2.4	8.8.8.8
May 23, 2024 15:47:29.310802937 CEST	53	60025	8.8.8.8	192.168.2.4
May 23, 2024 15:47:35.429822922 CEST	57304	53	192.168.2.4	8.8.8.8
May 23, 2024 15:47:35.437947989 CEST	53	57304	8.8.8.8	192.168.2.4
May 23, 2024 15:47:41.439472914 CEST	61449	53	192.168.2.4	8.8.8.8
May 23, 2024 15:47:41.452563047 CEST	53	61449	8.8.8.8	192.168.2.4
May 23, 2024 15:47:48.518832922 CEST	58923	53	192.168.2.4	8.8.8.8
May 23, 2024 15:47:48.527988911 CEST	53	58923	8.8.8.8	192.168.2.4
May 23, 2024 15:47:54.534435987 CEST	60196	53	192.168.2.4	8.8.8.8
May 23, 2024 15:47:54.546072960 CEST	53	60196	8.8.8.8	192.168.2.4
May 23, 2024 15:48:00.749634027 CEST	57267	53	192.168.2.4	8.8.8.8
May 23, 2024 15:48:00.763087988 CEST	53	57267	8.8.8.8	192.168.2.4
May 23, 2024 15:48:06.144095898 CEST	62418	53	192.168.2.4	8.8.8.8
May 23, 2024 15:48:06.151668072 CEST	53	62418	8.8.8.8	192.168.2.4
May 23, 2024 15:48:11.143938065 CEST	62546	53	192.168.2.4	8.8.8.8
May 23, 2024 15:48:11.153093100 CEST	53	62546	8.8.8.8	192.168.2.4
May 23, 2024 15:48:16.167520046 CEST	51554	53	192.168.2.4	8.8.8.8
May 23, 2024 15:48:16.179789066 CEST	53	51554	8.8.8.8	192.168.2.4
May 23, 2024 15:48:22.065913916 CEST	55661	53	192.168.2.4	8.8.8.8
May 23, 2024 15:48:22.074158907 CEST	53	55661	8.8.8.8	192.168.2.4
May 23, 2024 15:48:27.097287893 CEST	61296	53	192.168.2.4	8.8.8.8
May 23, 2024 15:48:27.107409000 CEST	53	61296	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 23, 2024 15:46:56.876147985 CEST	192.168.2.4	8.8.8.8	0xf1f5	Standard query (0)	newsddawork.3utilities.com	A (IP address)	IN (0x0001)	false
May 23, 2024 15:47:03.801042080 CEST	192.168.2.4	8.8.8.8	0xef1	Standard query (0)	newsddawork.3utilities.com	A (IP address)	IN (0x0001)	false
May 23, 2024 15:47:10.144380093 CEST	192.168.2.4	8.8.8.8	0x898e	Standard query (0)	newsddawork.3utilities.com	A (IP address)	IN (0x0001)	false
May 23, 2024 15:47:17.191318989 CEST	192.168.2.4	8.8.8.8	0x722e	Standard query (0)	newsddawork.3utilities.com	A (IP address)	IN (0x0001)	false
May 23, 2024 15:47:23.253621101 CEST	192.168.2.4	8.8.8.8	0x43a4	Standard query (0)	newsddawork.3utilities.com	A (IP address)	IN (0x0001)	false
May 23, 2024 15:47:29.300508976 CEST	192.168.2.4	8.8.8.8	0x441e	Standard query (0)	newsddawork.3utilities.com	A (IP address)	IN (0x0001)	false
May 23, 2024 15:47:35.429822922 CEST	192.168.2.4	8.8.8.8	0x843d	Standard query (0)	newsddawork.3utilities.com	A (IP address)	IN (0x0001)	false
May 23, 2024 15:47:41.439472914 CEST	192.168.2.4	8.8.8.8	0x3ec	Standard query (0)	newsddawork.3utilities.com	A (IP address)	IN (0x0001)	false
May 23, 2024 15:47:48.518832922 CEST	192.168.2.4	8.8.8.8	0x1b81	Standard query (0)	newsddawork.3utilities.com	A (IP address)	IN (0x0001)	false
May 23, 2024 15:47:54.534435987 CEST	192.168.2.4	8.8.8.8	0x5064	Standard query (0)	newsddawork.3utilities.com	A (IP address)	IN (0x0001)	false
May 23, 2024 15:48:00.749634027 CEST	192.168.2.4	8.8.8.8	0xac6d	Standard query (0)	newsddawork.3utilities.com	A (IP address)	IN (0x0001)	false
May 23, 2024 15:48:06.144095898 CEST	192.168.2.4	8.8.8.8	0x9dc8	Standard query (0)	newsddawork.3utilities.com	A (IP address)	IN (0x0001)	false
May 23, 2024 15:48:11.143938065 CEST	192.168.2.4	8.8.8.8	0xf108	Standard query (0)	newsddawork.3utilities.com	A (IP address)	IN (0x0001)	false
May 23, 2024 15:48:16.167520046 CEST	192.168.2.4	8.8.8.8	0xd168	Standard query (0)	newsddawork.3utilities.com	A (IP address)	IN (0x0001)	false
May 23, 2024 15:48:22.065913916 CEST	192.168.2.4	8.8.8.8	0xb402	Standard query (0)	newsddawork.3utilities.com	A (IP address)	IN (0x0001)	false
May 23, 2024 15:48:27.097287893 CEST	192.168.2.4	8.8.8.8	0x2915	Standard query (0)	newsddawork.3utilities.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 23, 2024 15:46:56.885766029 CEST	8.8.8.8	192.168.2.4	0xf1f5	No error (0)	newsddawork.3utilities.com		104.243.242.165	A (IP address)	IN (0x0001)	false
May 23, 2024 15:47:03.810233116 CEST	8.8.8.8	192.168.2.4	0xef1	No error (0)	newsddawork.3utilities.com		104.243.242.165	A (IP address)	IN (0x0001)	false
May 23, 2024 15:47:10.159089088 CEST	8.8.8.8	192.168.2.4	0x898e	No error (0)	newsddawork.3utilities.com		104.243.242.165	A (IP address)	IN (0x0001)	false
May 23, 2024 15:47:14.644126892 CEST	1.1.1.1	192.168.2.4	0x34e7	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
May 23, 2024 15:47:14.644126892 CEST	1.1.1.1	192.168.2.4	0x34e7	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
May 23, 2024 15:47:17.201508999 CEST	8.8.8.8	192.168.2.4	0x722e	No error (0)	newsddawork.3utilities.com		104.243.242.165	A (IP address)	IN (0x0001)	false
May 23, 2024 15:47:23.263489962 CEST	8.8.8.8	192.168.2.4	0x43a4	No error (0)	newsddawork.3utilities.com		104.243.242.165	A (IP address)	IN (0x0001)	false
May 23, 2024 15:47:28.198183060 CEST	1.1.1.1	192.168.2.4	0xaa6b	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
May 23, 2024 15:47:28.198183060 CEST	1.1.1.1	192.168.2.4	0xaa6b	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
May 23, 2024 15:47:29.310802937 CEST	8.8.8.8	192.168.2.4	0x441e	No error (0)	newsddawork.3utilities.com		104.243.242.165	A (IP address)	IN (0x0001)	false
May 23, 2024 15:47:35.437947989 CEST	8.8.8.8	192.168.2.4	0x843d	No error (0)	newsddawork.3utilities.com		104.243.242.165	A (IP address)	IN (0x0001)	false
May 23, 2024 15:47:41.452563047 CEST	8.8.8.8	192.168.2.4	0x3ec	No error (0)	newsddawork.3utilities.com		104.243.242.165	A (IP address)	IN (0x0001)	false
May 23, 2024 15:47:48.527988911 CEST	8.8.8.8	192.168.2.4	0x1b81	No error (0)	newsddawork.3utilities.com		104.243.242.165	A (IP address)	IN (0x0001)	false
May 23, 2024 15:47:54.546072960 CEST	8.8.8.8	192.168.2.4	0x5064	No error (0)	newsddawork.3utilities.com		104.243.242.165	A (IP address)	IN (0x0001)	false
May 23, 2024 15:48:00.763087988 CEST	8.8.8.8	192.168.2.4	0xac6d	No error (0)	newsddawork.3utilities.com		104.243.242.165	A (IP address)	IN (0x0001)	false
May 23, 2024 15:48:06.151668072 CEST	8.8.8.8	192.168.2.4	0x9dc8	No error (0)	newsddawork.3utilities.com		104.243.242.165	A (IP address)	IN (0x0001)	false
May 23, 2024 15:48:11.153093100 CEST	8.8.8.8	192.168.2.4	0xf108	No error (0)	newsddawork.3utilities.com		104.243.242.165	A (IP address)	IN (0x0001)	false
May 23, 2024 15:48:16.179789066 CEST	8.8.8.8	192.168.2.4	0xd168	No error (0)	newsddawork.3utilities.com		104.243.242.165	A (IP address)	IN (0x0001)	false
May 23, 2024 15:48:22.074158907 CEST	8.8.8.8	192.168.2.4	0xb402	No error (0)	newsddawork.3utilities.com		104.243.242.165	A (IP address)	IN (0x0001)	false
May 23, 2024 15:48:27.107409000 CEST	8.8.8.8	192.168.2.4	0x2915	No error (0)	newsddawork.3utilities.com		104.243.242.165	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	09:46:53
Start date:	23/05/2024
Path:	C:\Users\user\Desktop\fLNzmBM9hR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\fLNzmBM9hR.exe"
Imagebase:	0x640000
File size:	641'536 bytes
MD5 hash:	14239732DBDDFE922C297FDEAC56A062
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: Nanocore, Description: detect Nanocore in memory, Source: 00000000.00000002.1674369825.0000000003D2F000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:46:55
Start date:	23/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe"
Imagebase:	0x860000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:46:55
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:46:55
Start date:	23/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dgKDUvhlvCiVpa" /XML "C:\Users\user\AppData\Local\Temp\tmp7751.tmp"
Imagebase:	0x60000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:46:55
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:46:55
Start date:	23/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0xf20000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.3092185822.0000000005F20000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.3092185822.0000000005F20000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.3092185822.0000000005F20000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.3096285589.0000000007760000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.3096285589.0000000007760000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.3096285589.0000000007760000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.3087398590.0000000004543000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.3095814524.0000000007710000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.3095814524.0000000007710000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.3095814524.0000000007710000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.3095890255.0000000007720000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.3095890255.0000000007720000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.3095890255.0000000007720000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.3097033300.00000000079F0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.3097033300.00000000079F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.3097033300.00000000079F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.3097298200.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.3097298200.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.3097298200.0000000007A30000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.3096864447.00000000077E0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.3096864447.00000000077E0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.3096864447.00000000077E0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.3096361141.0000000007770000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.3096361141.0000000007770000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.3096361141.0000000007770000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.3097114258.0000000007A00000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.3097114258.0000000007A00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.3097114258.0000000007A00000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.3096223687.0000000007750000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.3096223687.0000000007750000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.3096223687.0000000007750000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.3096480105.0000000007790000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.3096480105.0000000007790000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.3096480105.0000000007790000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.3096562078.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.3096562078.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.3096562078.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.3087398590.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000006.00000002.3087398590.00000000045E0000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.3081321042.0000000003241000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.3081321042.0000000003241000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.3096414766.0000000007780000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.3096414766.0000000007780000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.3096414766.0000000007780000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000006.00000002.3094559477.0000000006A90000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000006.00000002.3081321042.00000000032AD000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:46:56
Start date:	23/05/2024
Path:	C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\dgKDUvhlvCiVpa.exe
Imagebase:	0x5c0000
File size:	641'536 bytes
MD5 hash:	14239732DBDDFE922C297FDEAC56A062
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: Nanocore, Description: detect Nanocore in memory, Source: 00000007.00000002.1696812697.0000000003DB0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 76%, ReversingLabs Detection: 75%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:46:57
Start date:	23/05/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:46:57
Start date:	23/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dgKDUvhlvCiVpa" /XML "C:\Users\user\AppData\Local\Temp\tmp802A.tmp"
Imagebase:	0x60000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:46:57
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:46:57
Start date:	23/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0xb40000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: Nanocore, Description: detect Nanocore in memory, Source: 0000000B.00000002.1733374703.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.1736727761.0000000003F09000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000B.00000002.1736727761.0000000003F09000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.1736727761.0000000003F09000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.1736360700.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000B.00000002.1736360700.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.1736360700.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:47:09
Start date:	23/05/2024
Path:	C:\Program Files (x86)\DNS Host\dnshost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DNS Host\dnshost.exe"
Imagebase:	0x6e0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 1%, Virustotal, Browse
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:47:10
Start date:	23/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	09:48:30
Start date:	23/05/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7012 -s 1416
Imagebase:	0x5f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	93
Total number of Limit Nodes:	4

Executed Functions

Function 00D6AD28 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00D6AF7E

Memory Dump Source

Source File: 00000000.00000002.1672946729.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_fLNzmBM9hR.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 36069461266de57a8b681f3289c7d08ea39949e32c0f0dc6eda016178fcade69
Instruction ID: ab7702e3e939087ecfb086a278b9e21ed76b145ee59f570264f3f8f5a4045074
Opcode Fuzzy Hash: 36069461266de57a8b681f3289c7d08ea39949e32c0f0dc6eda016178fcade69
Instruction Fuzzy Hash: 59713470A00B058FD724DF2AD04575ABBF1FF88304F04892DE48AA7A51D775E945CFA2

Function 00D658EC Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00D659A9

Memory Dump Source

Source File: 00000000.00000002.1672946729.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_fLNzmBM9hR.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b093bc52e522a84dc2ad1943740370c0994e6632cb1b7d34d6c3db768dd3ae22
Instruction ID: 9eaae112a97380cac1a6c5b60d26a7cc541ccacfd81d64920390171c2c79bb59
Opcode Fuzzy Hash: b093bc52e522a84dc2ad1943740370c0994e6632cb1b7d34d6c3db768dd3ae22
Instruction Fuzzy Hash: 0C5102B0C00719CFDB24DFA9C8847DDBBF1AF48314F24806AD408AB255D775A989CFA1

Function 00D644B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00D659A9

Memory Dump Source

Source File: 00000000.00000002.1672946729.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_fLNzmBM9hR.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7abb5f229f71a873dedd32e8c6ee0bc7760ac9864491d14bc0f5dd391ad74aca
Instruction ID: eca70707fb0317e796fcb6035bc6aeec36a4372436996153246f6d49073bf938
Opcode Fuzzy Hash: 7abb5f229f71a873dedd32e8c6ee0bc7760ac9864491d14bc0f5dd391ad74aca
Instruction Fuzzy Hash: 6B41E2B0C0071DCBDB24DFAAC844B9EBBF5BF48314F20816AD409AB255DB716985CFA0

Function 00D6D6C1 Relevance: 1.6, APIs: 1, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00D6D5C6,?,?,?,?,?), ref: 00D6D687

Memory Dump Source

Source File: 00000000.00000002.1672946729.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_fLNzmBM9hR.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ad4847a3336e9b0f7a6a8e94df3946c833017710c7d44f617ab79ce8e59cd121
Instruction ID: 3fda2744278fd4b8ae090697d7c92c59bf4b9bf4d802654b58c48a0818bcbf67
Opcode Fuzzy Hash: ad4847a3336e9b0f7a6a8e94df3946c833017710c7d44f617ab79ce8e59cd121
Instruction Fuzzy Hash: F83170347403448FEB08EF60F4587697BA2F7C4714F118439EA258B7D8CAB95886CB11

Function 00D6B710 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00D6D5C6,?,?,?,?,?), ref: 00D6D687

Memory Dump Source

Source File: 00000000.00000002.1672946729.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_fLNzmBM9hR.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5e9914260281a944de3edc92eda5186b753cc7138af8f095d0454137c7ebd9f5
Instruction ID: 99d84ced512e3b4eed40b87bd6ec9075335fad7bbce726c2ac0c59ca3a1c5fea
Opcode Fuzzy Hash: 5e9914260281a944de3edc92eda5186b753cc7138af8f095d0454137c7ebd9f5
Instruction Fuzzy Hash: F02105B5D003089FDB10CF9AD884AEEBBF9EB48320F14801AE918A3311D374A940CFA4

Function 00D6D5F8 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00D6D5C6,?,?,?,?,?), ref: 00D6D687

Memory Dump Source

Source File: 00000000.00000002.1672946729.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_fLNzmBM9hR.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d91ef910522a30541c75db70f355e7653ef505843f1efd3ddc1d9279a9a5b7c2
Instruction ID: 330646519723aa1266cc59f6b0d2ad72d33ea54175ad1efd9dd1fc6641fdb972
Opcode Fuzzy Hash: d91ef910522a30541c75db70f355e7653ef505843f1efd3ddc1d9279a9a5b7c2
Instruction Fuzzy Hash: E421E3B5D002099FDB10CF9AD485ADEBFF5EB48320F24841AE918A7351D374A944CFA1

Function 00D6A0E8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00D6AFF9,00000800,00000000,00000000), ref: 00D6B20A

Memory Dump Source

Source File: 00000000.00000002.1672946729.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_fLNzmBM9hR.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 233686ada7ed9bbe72e2f01c4909b84be8c19b475d27bd06100cb6adba119e03
Instruction ID: 4fc14265e4c96b8ef06cb6ad487c6ef26841680c801d0627062e02bf082960d6
Opcode Fuzzy Hash: 233686ada7ed9bbe72e2f01c4909b84be8c19b475d27bd06100cb6adba119e03
Instruction Fuzzy Hash: 8811E7B59003099FDB10DF9AD448B9EFBF4EB48320F14841AD559B7201C775A945CFA5

Function 00D6B198 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00D6AFF9,00000800,00000000,00000000), ref: 00D6B20A

Memory Dump Source

Source File: 00000000.00000002.1672946729.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_fLNzmBM9hR.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3c1f05cc03da715206e1a256ba76e7b6dd6e20f16ef06c4857c127029bf7beb2
Instruction ID: 2087f654653f11b8ed1b21340a9463c149640e47a1ad95177f448e146260f10e
Opcode Fuzzy Hash: 3c1f05cc03da715206e1a256ba76e7b6dd6e20f16ef06c4857c127029bf7beb2
Instruction Fuzzy Hash: F61129B6C003098FDB10CF9AD444ADEFBF4EB48320F14841AD519B7200C379A945CFA5

Function 00D6AF18 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00D6AF7E

Memory Dump Source

Source File: 00000000.00000002.1672946729.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_fLNzmBM9hR.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: dc45022a58462e29416a8b8d5fb3c06563c17671275c21a7856a2762f020cc78
Instruction ID: d82361a018b1e223bd8d144451121924e98c8dfc40b7c924381d524038d9a234
Opcode Fuzzy Hash: dc45022a58462e29416a8b8d5fb3c06563c17671275c21a7856a2762f020cc78
Instruction Fuzzy Hash: 8411DFB5C003498FDB10DF9AC444A9EFBF4EF88324F14845AE469B7210C379A545CFA2

Function 04A90578 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 04A92A75

Memory Dump Source

Source File: 00000000.00000002.1675503096.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a90000_fLNzmBM9hR.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d907cec9cef61df27885bdabf40900dc972e848eb121986519c76cefde82ef93
Instruction ID: 283d2fa558f1b3388bb5dfcd3b209fb8d96af72442c91211c9dddd65e5eb66e9
Opcode Fuzzy Hash: d907cec9cef61df27885bdabf40900dc972e848eb121986519c76cefde82ef93
Instruction Fuzzy Hash: AD110AB68003499FDB10DF99C445BDEBBF8EB58320F108859D514B7601C375A944CFA1

Function 04A92A10 Relevance: 1.5, APIs: 1, Instructions: 45
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 04A92A75

Memory Dump Source

Source File: 00000000.00000002.1675503096.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a90000_fLNzmBM9hR.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: f659fab861d50198482137b264ca9dd111fc80c597c9bf1c7be918fb340d5f84
Instruction ID: b66dd503738571a43d73bc4e0244e0c168c7ca8ab2d139500250f2eabdcea4f4
Opcode Fuzzy Hash: f659fab861d50198482137b264ca9dd111fc80c597c9bf1c7be918fb340d5f84
Instruction Fuzzy Hash: CC1103B68003499FDB10CF99C989BDEBBF8EF48324F10885AD558B7601C374A984CFA1

Function 00CAD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672665308.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cad000_fLNzmBM9hR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00ea8fcd01e63b8ca3a0e91ceea04666e1a8c120b3c67e88d02f0f51dcbd7765
Instruction ID: ee71710a74272f4dd39a0a8450cac94e9e6d213179553e85bc5829a3edbc46ee
Opcode Fuzzy Hash: 00ea8fcd01e63b8ca3a0e91ceea04666e1a8c120b3c67e88d02f0f51dcbd7765
Instruction Fuzzy Hash: 8F2148B1500305DFDB01DF04C9C4B16BF65FB98328F20C568E80B0B656C336E856CBA2

Function 00CBD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672735279.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cbd000_fLNzmBM9hR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea3a77221eb5ca9452cfb88386ec1877f479b8667fdab4eef2894ac2b59fb0e
Instruction ID: 3334fc2dd4511040efb33214cd38bbc19de433b0efe56e1171230c2b73ed83d9
Opcode Fuzzy Hash: bea3a77221eb5ca9452cfb88386ec1877f479b8667fdab4eef2894ac2b59fb0e
Instruction Fuzzy Hash: B221D375604200DFCB14EF14E9C4B56BBA5EB94314F24C569D80B4B286D33AD807CA61

Function 00CBD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672735279.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cbd000_fLNzmBM9hR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce4191e8cc66c1cf4c1b5e5fdd258f9d7087990320ef56d7192545ea024f7e0f
Instruction ID: ba95156ffd90854ccb3c272c8034465eabbf37be22a2b4f321b0e0db89b22093
Opcode Fuzzy Hash: ce4191e8cc66c1cf4c1b5e5fdd258f9d7087990320ef56d7192545ea024f7e0f
Instruction Fuzzy Hash: ED21F575604240EFDB05DF14D9C4B65BBA5FB94314F24C6ADE80B4B292D336DC46CB62

Function 00CBD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672735279.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cbd000_fLNzmBM9hR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09a0cb09f926351cca48b560a30f420264cd0c4301c50ee20e31f0db78519560
Instruction ID: 95a41fdd58a9626cf0980c0b331c8c89569995c391bc7bee188c5443718bf461
Opcode Fuzzy Hash: 09a0cb09f926351cca48b560a30f420264cd0c4301c50ee20e31f0db78519560
Instruction Fuzzy Hash: 3F219F755093C08FCB02DF24D994715BF71EB46314F28C5EAD84A8F2A7C33A980ACB62

Function 00CAD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672665308.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cad000_fLNzmBM9hR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: b5a69952c58e1f57f0200457b4a63035cd8de433d829e3c321c2303f4946ca5e
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: 25112676504341CFDB02CF00D5C4B16BF72FB98324F24C2A9D80A0B656C33AE95ACBA1

Function 00CBD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672735279.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cbd000_fLNzmBM9hR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 8cb0ddab276958d26be10c108e2832624db2b5a57b11bd492f1f902a6bcfa897
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: EB11BB75904280DFCB02CF10C5C4B15BBB2FB84324F24C6ADD84A4B296C33AD84ACB62

Function 00CAD759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672665308.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cad000_fLNzmBM9hR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 088aba75486239cf3489c989c58e643bbf97941bf89bcfaba5c50937410e1595
Instruction ID: 37be418e72fcef316a873312c52ec84d5f9887ee1253a0e13c832b239734ddc2
Opcode Fuzzy Hash: 088aba75486239cf3489c989c58e643bbf97941bf89bcfaba5c50937410e1595
Instruction Fuzzy Hash: B5012B710083459AE7144B16DCC4B66FFE8DF52339F18C85AEC1F8A68AC3389840C671

Function 00CAD758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672665308.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cad000_fLNzmBM9hR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e059ffefcfa6ae84c3a796898ef75defe685d09dbe97fe59d3a9b9b3d7db8de
Instruction ID: 9f2dac907bfc5767f5491ea3c57cb8cca3c52932031c65e9db7e04da5c96134a
Opcode Fuzzy Hash: 1e059ffefcfa6ae84c3a796898ef75defe685d09dbe97fe59d3a9b9b3d7db8de
Instruction Fuzzy Hash: BDF0F6310043409EE7248B06DC84B62FFE8EF51735F18C45AED1A4B28AC379AC40CAB1

Non-executed Functions

Function 04A93628 Relevance: 2.8, Strings: 2, Instructions: 298COMMON

Download Yara Rule

Strings

PH^q, xrefs: 04A93813
PH^q, xrefs: 04A938EB

Memory Dump Source

Source File: 00000000.00000002.1675503096.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a90000_fLNzmBM9hR.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: a3a8badac460ec99e40c0b4d5a186338e45a5b02bba652e8cab51a8ade4353be
Instruction ID: 5d38af5bcf15011f6789ea20f7844b4a48bda576df3f559bd04c6cf8c34ba75c
Opcode Fuzzy Hash: a3a8badac460ec99e40c0b4d5a186338e45a5b02bba652e8cab51a8ade4353be
Instruction Fuzzy Hash: D3D1A274A00605CFDB18DF69C598BA9B7F1BF4C701F2580A9E90AAB361DB31AD41CF60

Function 04A95520 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675503096.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a90000_fLNzmBM9hR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027b23b9a64bc97b408fa3adea326575371a0cd1c7704074188faa394ab4a1e7
Instruction ID: 81f395ed8a906130bc410561b2b8b70d47bb907d96e6a59aa2d90f7229d155be
Opcode Fuzzy Hash: 027b23b9a64bc97b408fa3adea326575371a0cd1c7704074188faa394ab4a1e7
Instruction Fuzzy Hash: 83D1BC72B006009BEB1ADB79C551B6EB7FAAF89304F14886DD186DB291DF35EC01CB61

Function 04A90AC8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675503096.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a90000_fLNzmBM9hR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 243b2f73a8c0d589db0f7ba8db3838cab2ca81ef21bc7c8447a3651f84099c28
Instruction ID: d5bc2c66761dd8ae36dda30c3475ec94f4616f61a73235653bb90d775a4e6501
Opcode Fuzzy Hash: 243b2f73a8c0d589db0f7ba8db3838cab2ca81ef21bc7c8447a3651f84099c28
Instruction Fuzzy Hash: 8AE1C674E051198FCB14DFA9C5909AEBBF2FF89304F248169D414AB359D731AD82CFA1

Function 00D6D2E4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1672946729.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d60000_fLNzmBM9hR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0529d4669d2038ec4c4b752804e6e7296e6899d84b5fe49456a4a4e674c92a3c
Instruction ID: 84c5f5e863bdce084ecf1fd1b0e9749b3cf166464707c60fa9cd9bfb988310a7
Opcode Fuzzy Hash: 0529d4669d2038ec4c4b752804e6e7296e6899d84b5fe49456a4a4e674c92a3c
Instruction Fuzzy Hash: 81A17E36E006099FCF19DFB4D84059EB7B2FF85300B15857AE906AB265DB31ED46CB60

Function 04A90AB9 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1675503096.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4a90000_fLNzmBM9hR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c7a5389655be0f7c56bb68b3db0a16853bebcc17b2ae5916b77d960217cc7e0
Instruction ID: 8a38a2ce46c32e49c86ea150eab073bee563fdda61820797292159b8d07a0573
Opcode Fuzzy Hash: 7c7a5389655be0f7c56bb68b3db0a16853bebcc17b2ae5916b77d960217cc7e0
Instruction Fuzzy Hash: 26510874E052198BCB14CFA9C9805AEFBF2FF89304F24C569D418AB355D731A942CFA1

Analysis Process: MSBuild.exePID: 7012, Parent PID: 6540COMMON

Execution Graph

Execution Coverage:	12.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	10.7%
Total number of Nodes:	121
Total number of Limit Nodes:	12

Executed Functions

Function 077D59F8 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3096797499.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_77d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e08810d76f1a4ecdd74aa0d87a876dc5f043d776ba779d02d91de4091565632a
Instruction ID: f2bdda7fe37073f358d89b0f0511d287e1102de5cb49517542d47d814fdc2c7d
Opcode Fuzzy Hash: e08810d76f1a4ecdd74aa0d87a876dc5f043d776ba779d02d91de4091565632a
Instruction Fuzzy Hash: E451AF71D012199FCB10EFA9D984AEEBFF5EF49310F10816AE918A7340D7309918CBA2

Function 06ACE4C8 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3094786365.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ac0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c3add32ab40e0673614a0d38e59f12c778a91fe7291b757797d1fd7080f296
Instruction ID: ed96420e6cc45602d323dcf2cb2371822bbffbd99b7b5835c6b8404dfb7d81d4
Opcode Fuzzy Hash: a0c3add32ab40e0673614a0d38e59f12c778a91fe7291b757797d1fd7080f296
Instruction Fuzzy Hash: E0511578E012089FDB44DFA8E899AADBFB2FB88311F148069E905A7350DB356D81CF50

Function 017ED408 Relevance: 6.1, APIs: 4, Instructions: 139
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 017ED496
GetCurrentThread.KERNEL32 ref: 017ED4D3
GetCurrentProcess.KERNEL32 ref: 017ED510
GetCurrentThreadId.KERNEL32 ref: 017ED569

Memory Dump Source

Source File: 00000006.00000002.3080178357.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17e0000_MSBuild.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: b32e238f3b45dc4cef461607c7f320ad5de187dacf5dcace8cbb1d562fe5f90e
Instruction ID: b0dcf4744101b457f0465b6227db28c29dc1f8344076c4147b316b494f923685
Opcode Fuzzy Hash: b32e238f3b45dc4cef461607c7f320ad5de187dacf5dcace8cbb1d562fe5f90e
Instruction Fuzzy Hash: EB5176B09043498FDB18DFA9D548B9EBFF1EF4C314F20806AD409A7390D774A984CB65

Function 017ED418 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 017ED496
GetCurrentThread.KERNEL32 ref: 017ED4D3
GetCurrentProcess.KERNEL32 ref: 017ED510
GetCurrentThreadId.KERNEL32 ref: 017ED569

Memory Dump Source

Source File: 00000006.00000002.3080178357.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17e0000_MSBuild.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 9e953c26ef29bc7f0da7b9b32aaf7b00cd6b428345c7bffd4162e957715d88d2
Instruction ID: 4d9fefc67d8a7aaac22b2685c51b19555830d20e8c967783317fd296ad71b04d
Opcode Fuzzy Hash: 9e953c26ef29bc7f0da7b9b32aaf7b00cd6b428345c7bffd4162e957715d88d2
Instruction Fuzzy Hash: 925135B09003098FDB18DFAAD548B9EBBF1EF8C314F20C459E419A7390D774A984CB65

Function 06AC5488 Relevance: 1.7, APIs: 1, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3094786365.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ac0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 109d8b35e4fe7b5e6ecdb3a578f1ea4b5651c00ab852ea2edd3a1b4ca952e739
Instruction ID: e5c44ec4fc0bba857721ec1b0b5c399ae81cbe876db52117edd4ebfbfb3b94fd
Opcode Fuzzy Hash: 109d8b35e4fe7b5e6ecdb3a578f1ea4b5651c00ab852ea2edd3a1b4ca952e739
Instruction Fuzzy Hash: 80918CB1D003099FCB50EFA9C9806DEBBF6FF49310F24812AE415AB251DB70A959CF91

Function 077D5B05 Relevance: 1.7, APIs: 1, Instructions: 225timeCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNELBASE(?,?,?), ref: 077D5E44

Memory Dump Source

Source File: 00000006.00000002.3096797499.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_77d0000_MSBuild.jbxd

Similarity

API ID: SystemTimes
String ID:
API String ID: 375623090-0
Opcode ID: ab075251f2a2bbccfe5f1937ccbd42d434fa77cd66ac64ee21c157c84422e62c
Instruction ID: 32810068bd80ca2eaff2f98ed9233eda7f09aaed50dfdc9b44dfabd8c55a6318
Opcode Fuzzy Hash: ab075251f2a2bbccfe5f1937ccbd42d434fa77cd66ac64ee21c157c84422e62c
Instruction Fuzzy Hash: 02B19FB5D0021ACFDB10DF69C880AD9FBB5FF59310F15C69AD958AB201E770AA85CF90

Function 017EAD88 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 017EAFDE

Memory Dump Source

Source File: 00000006.00000002.3080178357.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17e0000_MSBuild.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c22155b4b51f9d4b00d1006b2058de370709df422647b2d16b9566c669b9b684
Instruction ID: 546dfa2f44d798ce918b6bd83356842bfcee46f4fc001405784af9afc1cd9a5c
Opcode Fuzzy Hash: c22155b4b51f9d4b00d1006b2058de370709df422647b2d16b9566c669b9b684
Instruction Fuzzy Hash: 677122B0A00B058FDB24DF2AD44975ABBF1FF88314F008A2DD58AD7A44DB75E945CB90

Function 06AC3850 Relevance: 1.7, APIs: 1, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3094786365.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ac0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56b15a849b73e06fbfc2725ebd787afdf4e065d8e5ec1ae8a9863fc71d2d0f4
Instruction ID: 26f7098d8dd8e7a4509697b8f35a0baee3824ad995567e0a4402c98290b965bd
Opcode Fuzzy Hash: d56b15a849b73e06fbfc2725ebd787afdf4e065d8e5ec1ae8a9863fc71d2d0f4
Instruction Fuzzy Hash: 4F6178B1C043599FDB11EFA9C890BDEBFF1AF45314F28805AE804AB251DB74A849CF91

Function 06AC388C Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06AC5668

Memory Dump Source

Source File: 00000006.00000002.3094786365.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6ac0000_MSBuild.jbxd

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: ae9c4609540c1944ff68c975c06315dae62031ea9f0288a1e8bc08ec0a36cb6f
Instruction ID: ddc377a4174e9a9e95f8564a133f31568fed3d3562be869208302b3388273ab1
Opcode Fuzzy Hash: ae9c4609540c1944ff68c975c06315dae62031ea9f0288a1e8bc08ec0a36cb6f
Instruction Fuzzy Hash: A65113B0D006199FCB54DFA9C880ADEBBF1FF48314F24812AE814AB250DB74A956CF91

Function 077D5AE8 Relevance: 1.6, APIs: 1, Instructions: 80timeCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNELBASE(?,?,?), ref: 077D5E44

Memory Dump Source

Source File: 00000006.00000002.3096797499.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_77d0000_MSBuild.jbxd

Similarity

API ID: SystemTimes
String ID:
API String ID: 375623090-0
Opcode ID: 1f2cecdf231f96ac575c11bfbc67d4db317540526999e4a21e27c1fbd9956161
Instruction ID: 905a05471324ac7e5aa70fd6a1d77a6a7d8b0ff2e4bfcb93ea78a9a6f3cb9a0e
Opcode Fuzzy Hash: 1f2cecdf231f96ac575c11bfbc67d4db317540526999e4a21e27c1fbd9956161
Instruction Fuzzy Hash: AB3112B1C012589FCB10DFA9D584ADEFFF4AF49310F2481AAE908EB341D3349944CBA5

Function 077D5ACB Relevance: 1.6, APIs: 1, Instructions: 80timeCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNELBASE(?,?,?), ref: 077D5E44

Memory Dump Source

Source File: 00000006.00000002.3096797499.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_77d0000_MSBuild.jbxd

Similarity

API ID: SystemTimes
String ID:
API String ID: 375623090-0
Opcode ID: f286e866c6089ad5c3d70c25817338d6c0e723c900bad4dd1415ccbb1d0fd824
Instruction ID: 3dbec719eeca0aec3be184d9a2455aef3bb891bc5d39c6827322e4db6f4fc515
Opcode Fuzzy Hash: f286e866c6089ad5c3d70c25817338d6c0e723c900bad4dd1415ccbb1d0fd824
Instruction Fuzzy Hash: 223111B1D012499FCB00DFA9D484ADEFFF4AF49310F2080AAE918EB251D3389944CFA5

Function 017ED658 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017ED6E7

Memory Dump Source

Source File: 00000006.00000002.3080178357.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17e0000_MSBuild.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5ae9ade6070b8b490bea05a65a66cf8eeada3e50692d1995992bbf0112051ae2
Instruction ID: 735a0c4186fe21be56783a126ef404b17fed8379b39791f763fcc83475ef884e
Opcode Fuzzy Hash: 5ae9ade6070b8b490bea05a65a66cf8eeada3e50692d1995992bbf0112051ae2
Instruction Fuzzy Hash: AE21E2B5900209AFDB10DF9AD885AEEBBF5EB48310F14811AE918A3350D375AA54DFA1

Function 017ED660 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017ED6E7

Memory Dump Source

Source File: 00000006.00000002.3080178357.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17e0000_MSBuild.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5f1e954273f57214f24a72954ca1193e435dfc31dfec646aa4e94755fea2f5bf
Instruction ID: 95f99a9a4ee04cab89f889b44bf7fef28938f5645f7ff0503806827fc29445f8
Opcode Fuzzy Hash: 5f1e954273f57214f24a72954ca1193e435dfc31dfec646aa4e94755fea2f5bf
Instruction Fuzzy Hash: 1321E4B59002089FDB10CF9AD884ADEFFF5EB48310F14801AE918A3350C374A954CFA4

Function 077D506C Relevance: 1.6, APIs: 1, Instructions: 61timeCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNELBASE(?,?,?), ref: 077D5E44

Memory Dump Source

Source File: 00000006.00000002.3096797499.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_77d0000_MSBuild.jbxd

Similarity

API ID: SystemTimes
String ID:
API String ID: 375623090-0
Opcode ID: e516bf4a518e816a61cc609d4e64dda9d399c4e6f604b2ef088126d33b5b5ff7
Instruction ID: 31de0a5616bd3f505c6998d7bb0790539e1d88861e68cb40713334d05ee4897c
Opcode Fuzzy Hash: e516bf4a518e816a61cc609d4e64dda9d399c4e6f604b2ef088126d33b5b5ff7
Instruction Fuzzy Hash: 2621E4B1D012199FCB40DFAAD584BDEFBF4EF48310F24806AE908AB241D7749A54CBA5

Function 017EB1F8 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,017EB059,00000800,00000000,00000000), ref: 017EB26A

Memory Dump Source

Source File: 00000006.00000002.3080178357.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17e0000_MSBuild.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: de4a372aef7079ead91afceacbd909ee2d39c4d5d21a00b57c06feb31340ad93
Instruction ID: 95ac1356de23d6c5e6a869431899c5ca7747ebef644e9a39cabd4e6ed309a1b4
Opcode Fuzzy Hash: de4a372aef7079ead91afceacbd909ee2d39c4d5d21a00b57c06feb31340ad93
Instruction Fuzzy Hash: A12144B68043089FDB14DF9AC848ADEFFF9EF89320F10842AE559A7200C375A545CFA5

Function 017EA148 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,017EB059,00000800,00000000,00000000), ref: 017EB26A

Memory Dump Source

Source File: 00000006.00000002.3080178357.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17e0000_MSBuild.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af5b01d5574a1865b9433fc7326929fdb684e0a51c63fa3d149c99c6c4064beb
Instruction ID: 9b23cba2e771276dbdfef2a74d8448703f1c6cab0f09a9624008dd99206906d2
Opcode Fuzzy Hash: af5b01d5574a1865b9433fc7326929fdb684e0a51c63fa3d149c99c6c4064beb
Instruction Fuzzy Hash: E71114B68043099FDB10DF9AC448A9EFFF9EF88310F10846AD519AB200C375A544CFA4

Function 017EAF78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 017EAFDE

Memory Dump Source

Source File: 00000006.00000002.3080178357.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_17e0000_MSBuild.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d617ca1470b8d48361ad5b2c51db8ea9560080df7aa6775024ba18ca7e0a906d
Instruction ID: 9cf6e43975f22b3465e0a4d74ad3c2d222a82240e267c8a5712a00e55de21454
Opcode Fuzzy Hash: d617ca1470b8d48361ad5b2c51db8ea9560080df7aa6775024ba18ca7e0a906d
Instruction Fuzzy Hash: 061122B5C003498FDB10DF9AC448ADEFBF4EF88324F10846AD529A7240C379A545CFA1

Function 0170D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3079870424.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_170d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bec77f0f86b8ff8bb3786f97360b2de37fb1cd3b3f7230f339684faad80bb283
Instruction ID: 27ebf2408f0006fae9d15f1e3368d9aaac2ff1d6059541b0230001f75a64e77f
Opcode Fuzzy Hash: bec77f0f86b8ff8bb3786f97360b2de37fb1cd3b3f7230f339684faad80bb283
Instruction Fuzzy Hash: 7F21D3B5604304DFDB26DF98D9C4B16FBA5EB84354F24C5ADD90E4B286C336D407CA61

Function 0170D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3079870424.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_170d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 4d081ff27febd8386c1cfcc655e7cc5e2bc174533a0d93c08b5e5c104183dfc7
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: 8C11BE75504380CFDB12CF54D5C4B15FBA2FB44324F24C6A9D8094B696C33AD40ACB62

Non-executed Functions

Function 077D02B9 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3096797499.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_77d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c19d581932592de2404c77befe94909336dcfe13fff3a516ac83e8801daf229f
Instruction ID: c15edbc36caa46a879e8b7b87c3970bd93dff24f99fbfb8f7a789e895a1e1570
Opcode Fuzzy Hash: c19d581932592de2404c77befe94909336dcfe13fff3a516ac83e8801daf229f
Instruction Fuzzy Hash: 4C01DB71D121189FDB049FA9E80C7EDBFB5EB8E351F046069D109B3250D7B44C44CB68

Function 077D02C8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3096797499.00000000077D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_77d0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b3ca49d734ab7433d11c891930f61bb114415cefd2977910e32461a59dcaa45
Instruction ID: 1ba083eda11e0e17dfa7d8171c5f757e7e4d812d3a686e4d52838299de9289ec
Opcode Fuzzy Hash: 4b3ca49d734ab7433d11c891930f61bb114415cefd2977910e32461a59dcaa45
Instruction Fuzzy Hash: 64F0A470E012148FDB049FAAE5087FDBFB5EB8E311F04646AD109B7290D7B54C44CB68

Analysis Process: dgKDUvhlvCiVpa.exePID: 6960, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	10.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	222
Total number of Limit Nodes:	8

Executed Functions

Function 00F1D3A8 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00F1D436
GetCurrentThread.KERNEL32 ref: 00F1D473
GetCurrentProcess.KERNEL32 ref: 00F1D4B0
GetCurrentThreadId.KERNEL32 ref: 00F1D509

Memory Dump Source

Source File: 00000007.00000002.1694232719.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f10000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 8d13cb01ed67fe2ce5e46a8a1afda29d513635bb31f4ae5c4ea89c168dcde1b1
Instruction ID: 208a0a90a606855555786007833bb95ea7ba282214041052a9a8b1223ac921e1
Opcode Fuzzy Hash: 8d13cb01ed67fe2ce5e46a8a1afda29d513635bb31f4ae5c4ea89c168dcde1b1
Instruction Fuzzy Hash: A75166B0D003498FDB54DFAAD588BDEBBF1EF88314F248459E009A7391DB34A985CB65

Function 00F1D3B8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00F1D436
GetCurrentThread.KERNEL32 ref: 00F1D473
GetCurrentProcess.KERNEL32 ref: 00F1D4B0
GetCurrentThreadId.KERNEL32 ref: 00F1D509

Memory Dump Source

Source File: 00000007.00000002.1694232719.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f10000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: d0fc245887e7fbc5eaf4c2eede7e47807f022073944b6fcff57b2ace0fe7029a
Instruction ID: 7ddac8534a7807688c2d420f1687763064d4f2fc8f7a637b6ece654524461704
Opcode Fuzzy Hash: d0fc245887e7fbc5eaf4c2eede7e47807f022073944b6fcff57b2ace0fe7029a
Instruction Fuzzy Hash: 7A5143B0D003098FDB14DFAAD588BDEBBF1AF88314F208459E019A7291DB74A985CB65

Function 071BDE24 Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 071BE066

Memory Dump Source

Source File: 00000007.00000002.1699944220.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_71b0000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f8579fc449706064adf8ca730a0054bb78e889c9c1049d7cdfd616f6ae92852f
Instruction ID: 7b9873d30fe6776ba43a865380619f6e87cf8ca888fd0105de489d81e42e2c50
Opcode Fuzzy Hash: f8579fc449706064adf8ca730a0054bb78e889c9c1049d7cdfd616f6ae92852f
Instruction Fuzzy Hash: 9BA180B1D0021ADFDF25DF68C8417DDBBB2BF44314F1481A9E848A7280DB749986CF92

Function 071BDE30 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 071BE066

Memory Dump Source

Source File: 00000007.00000002.1699944220.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_71b0000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 40e4e8183078c3b22dd02d6197648d500b93f23db2a8b234b05aaaa6f4571789
Instruction ID: ab27e1f219155b9c5cf51862a63ab29b8dad49de2e1c2c359ae2576b3a5776c3
Opcode Fuzzy Hash: 40e4e8183078c3b22dd02d6197648d500b93f23db2a8b234b05aaaa6f4571789
Instruction Fuzzy Hash: 4F917FB1E0021ADFDF25DFA9C8417DDBBB2BF44314F1481A9E849A7280DB749985CF92

Function 00F1AD28 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00F1AF7E

Memory Dump Source

Source File: 00000007.00000002.1694232719.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f10000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7d40d5696dc3477b0651eca523f112fcf9137052ee83018ddfdaf2efa3536fbb
Instruction ID: 48305e5f9cfb95e7d6b170ec6ca1198b36d4350fbb93a6000b2698608c29a4cf
Opcode Fuzzy Hash: 7d40d5696dc3477b0651eca523f112fcf9137052ee83018ddfdaf2efa3536fbb
Instruction Fuzzy Hash: 0F7157B0A01B058FD724DF2AD45179ABBF1FF88314F00892EE48AD7A50DB34E985DB91

Function 00F144B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00F159A9

Memory Dump Source

Source File: 00000007.00000002.1694232719.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f10000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 89979364db1cf9e79714e082d5a8b4ceeea9962a852196240752aadce9ab16ad
Instruction ID: 88351f4a8813f6a840b707b68d2c6c293c03781a7e549e5baeecd4b4b07c9ee5
Opcode Fuzzy Hash: 89979364db1cf9e79714e082d5a8b4ceeea9962a852196240752aadce9ab16ad
Instruction Fuzzy Hash: B741D4B0C00719CBDB24DFA9C8847DEBBF5BF88714F20816AD409AB251DB756945CF91

Function 00F158EC Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00F159A9

Memory Dump Source

Source File: 00000007.00000002.1694232719.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f10000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 37c3b1054d7caf407bdb4daad9e58b7d0c035c8e9252450c5db1ae70f83bf277
Instruction ID: b26e29d58ae9f3970b8fa14b583063cd26cfd9021918b1f6dfdece2212d77677
Opcode Fuzzy Hash: 37c3b1054d7caf407bdb4daad9e58b7d0c035c8e9252450c5db1ae70f83bf277
Instruction Fuzzy Hash: 0941F2B0C00719CBDB24DFA9C8847DEBBF5BF89714F20816AD409AB251DB756986CF50

Function 00F1D6C1 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F1D687

Memory Dump Source

Source File: 00000007.00000002.1694232719.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f10000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6c48152e811a3088b686cd164cf5717c29fbbf87c714190cf4e55a3fadb64fed
Instruction ID: 5fd932af8fa7506fb2cea4e4d30b0b9e4dc2098b1e4862d3164bdbb559c7881b
Opcode Fuzzy Hash: 6c48152e811a3088b686cd164cf5717c29fbbf87c714190cf4e55a3fadb64fed
Instruction Fuzzy Hash: 74318534A803888FE304EF65E8947797BB2F7C8350F11843AE9118B7E4CAB4885ADF11

Function 071BDBA1 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 071BDC38

Memory Dump Source

Source File: 00000007.00000002.1699944220.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_71b0000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: bc59eea5a915c7187aa7166ddc641702e851f14448a5c44242df9fc924da9d08
Instruction ID: 0bccd8d908d967a82fc20535f0f0ffb45864a1f54008ba22edbc95216dec2170
Opcode Fuzzy Hash: bc59eea5a915c7187aa7166ddc641702e851f14448a5c44242df9fc924da9d08
Instruction Fuzzy Hash: 622168B59103499FCB14DFA9C8807EEBBF1FF48310F108429E958A7241C7749955CBA4

Function 071BD5D0 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 071BD656

Memory Dump Source

Source File: 00000007.00000002.1699944220.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_71b0000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 70ce0aa6e17d0ec7e3c64c6139944f9ac4463326c9fefe3f594e7122462f103a
Instruction ID: 2abb7871c2912efe2ab9c8ccea6df8090ea8a851d05188085ee41dc451f4b69a
Opcode Fuzzy Hash: 70ce0aa6e17d0ec7e3c64c6139944f9ac4463326c9fefe3f594e7122462f103a
Instruction Fuzzy Hash: C02178B19003099FCB14DFAAC4857EEBFF4EF88320F10842AD459A7281CB789945CFA5

Function 071BDC90 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071BDD18

Memory Dump Source

Source File: 00000007.00000002.1699944220.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_71b0000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 31b092787bb6a4f30555ec37cdbccb9f01d87d0a364808b82b8ef9c9ceb530f9
Instruction ID: 7c35a8a7b4464b9b91a78c0655960c8b11da422b210bfbdc7632676104b0b87d
Opcode Fuzzy Hash: 31b092787bb6a4f30555ec37cdbccb9f01d87d0a364808b82b8ef9c9ceb530f9
Instruction Fuzzy Hash: 13217AB18003499FCB10DFAAD881AEEFBF5FF48320F10842EE558A7281C7349941CBA5

Function 071BDBA8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 071BDC38

Memory Dump Source

Source File: 00000007.00000002.1699944220.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_71b0000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 79a44c5e829a98d3a4303c5bec7459bcdd5576d681edffa43bb066986393cbda
Instruction ID: cfe72a1d3bbb2ae3c34360b352e782e9cc4f4e12cdebdb05ab96e54453fbf0ed
Opcode Fuzzy Hash: 79a44c5e829a98d3a4303c5bec7459bcdd5576d681edffa43bb066986393cbda
Instruction Fuzzy Hash: 5D2169B19003099FCB14DFAAC885BDEBBF5FF88310F10842DE958A7281C7789954CBA4

Function 00F1D5F8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F1D687

Memory Dump Source

Source File: 00000007.00000002.1694232719.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f10000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 38248198ab120b4da35deaaa9805672316af5bf80b01ad7275ffbda22d6dae9c
Instruction ID: b141742e76657c8c8b1c53a3434a22d9b8eba1c0ef100a8961214047b45640a1
Opcode Fuzzy Hash: 38248198ab120b4da35deaaa9805672316af5bf80b01ad7275ffbda22d6dae9c
Instruction Fuzzy Hash: B921E4B5900348DFDB10CFAAD584ADEBFF5EB48324F14842AE918A7351C374A954DF64

Function 071BD5D8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 071BD656

Memory Dump Source

Source File: 00000007.00000002.1699944220.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_71b0000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ce82288bdad5ad02c6c42e642ec867f605e94eb4b73d9f15f5ab1e434b9561eb
Instruction ID: 87ad933ed9db0b3bd492af8cb319d978397a13ef5b2e88cb404747e3a9fc4b61
Opcode Fuzzy Hash: ce82288bdad5ad02c6c42e642ec867f605e94eb4b73d9f15f5ab1e434b9561eb
Instruction Fuzzy Hash: 472149B1D003099FDB14DFAAC4857EEBBF4EF88324F508429D459A7281CB789945CFA4

Function 071BDC98 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071BDD18

Memory Dump Source

Source File: 00000007.00000002.1699944220.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_71b0000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 17b8e3726a813a9a29860310886b7d42d8f33221829a4c23ba11b5d33dbdc2be
Instruction ID: 05746641215a2e317f828c5fa327037f7ae844e4f49a35f3ec02c5c5e079bee9
Opcode Fuzzy Hash: 17b8e3726a813a9a29860310886b7d42d8f33221829a4c23ba11b5d33dbdc2be
Instruction Fuzzy Hash: CD2139B19003499FCB10DFAAC845AEEFBF5FF48320F50842DE559A7281C7349945DBA4

Function 00F1D600 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F1D687

Memory Dump Source

Source File: 00000007.00000002.1694232719.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f10000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ee1e8df96cbaa18e8fe768794fd9774fd57fe591e193394b12205e38d3755b3c
Instruction ID: 694d9b4a9de3543be85bd32cab71582dbe62c55c7e5cf26d32fe3dddc6c37cd3
Opcode Fuzzy Hash: ee1e8df96cbaa18e8fe768794fd9774fd57fe591e193394b12205e38d3755b3c
Instruction Fuzzy Hash: 7A21E4B5900308AFDB10CF9AD884ADEBBF4EB48320F14841AE918A3351C374A944DFA4

Function 071BDAE0 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 071BDB56

Memory Dump Source

Source File: 00000007.00000002.1699944220.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_71b0000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 634d0131271552affa6559de16eabd1363161b6565d8ae72d6a47e083bd98716
Instruction ID: b9768d9b4664bd0b415bac140e7d68c173c48e81c9b2d19521068f79a417f638
Opcode Fuzzy Hash: 634d0131271552affa6559de16eabd1363161b6565d8ae72d6a47e083bd98716
Instruction Fuzzy Hash: B21189B59002499FCB24DFAAC805AEFFFF5EF89320F108819E559A7251CB35A544CFA4

Function 00F1A0E8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F1AFF9,00000800,00000000,00000000), ref: 00F1B20A

Memory Dump Source

Source File: 00000007.00000002.1694232719.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f10000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6b9258c2e93ef8991eabe09a046f5d48c7e2008f94df32bca6c22c1d0724cede
Instruction ID: 01fa43f6ae8a2d96de9dcc12eecb9e28d69aa5ec677d44695e9df8cc3a710ba8
Opcode Fuzzy Hash: 6b9258c2e93ef8991eabe09a046f5d48c7e2008f94df32bca6c22c1d0724cede
Instruction Fuzzy Hash: 821103B6C003499FDB10DF9AD848ADEFBF4EB88320F10842AE519A7201C775A944CFA4

Function 071BD522 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 071BD58A

Memory Dump Source

Source File: 00000007.00000002.1699944220.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_71b0000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8fa0cc4eaa4aee940006f00ef7c599ea5e6c91619c6636be2f5a0c5812826c75
Instruction ID: 26f17d96cc2e0bb8974e5d78a9974f781fe6fbce2c37c097536860ee6ed1438c
Opcode Fuzzy Hash: 8fa0cc4eaa4aee940006f00ef7c599ea5e6c91619c6636be2f5a0c5812826c75
Instruction Fuzzy Hash: D01176B59003498FCB24DFAAC4457EEFBF4EB88324F208819C059A7280CB35A940CBA4

Function 071BDAE8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 071BDB56

Memory Dump Source

Source File: 00000007.00000002.1699944220.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_71b0000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 592e03b6f1f66ec6d7f7be11ebd69fd98094c5ccea3376c500f7d4acc4fedb48
Instruction ID: 2c10aa01c202a06a6757db4c6037bcd9e7924c82ca8579fded9a1f22628359c8
Opcode Fuzzy Hash: 592e03b6f1f66ec6d7f7be11ebd69fd98094c5ccea3376c500f7d4acc4fedb48
Instruction Fuzzy Hash: EE1167B59002499FCB24DFAAC844ADFFFF5EF88320F108819E519A7250CB35A940CFA4

Function 00F1B198 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F1AFF9,00000800,00000000,00000000), ref: 00F1B20A

Memory Dump Source

Source File: 00000007.00000002.1694232719.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f10000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 61f70a48ec141ec3d19530486eb501dc1f3c23d8915ba716d6dd4076b4e5a4c4
Instruction ID: acc7c043862b57b9ab192aa53039845ded4bccd036494524e0d722a8a963c2eb
Opcode Fuzzy Hash: 61f70a48ec141ec3d19530486eb501dc1f3c23d8915ba716d6dd4076b4e5a4c4
Instruction Fuzzy Hash: 3C1114B6D00249DFDB10DF9AD448ADEFBF4EB88310F10842ED519A7600C375A944CFA5

Function 00FD1E38 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 00FD1E9D

Memory Dump Source

Source File: 00000007.00000002.1694463384.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fd0000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e7937d05ca174b06d083a921e237be603caf1c6e8fa122bf3a6ea77d53af332c
Instruction ID: cddd8f1af1db277e1733a40f4e6464df8a4d671c9a61c54628722891818ec52a
Opcode Fuzzy Hash: e7937d05ca174b06d083a921e237be603caf1c6e8fa122bf3a6ea77d53af332c
Instruction Fuzzy Hash: E91125B58003089FCB20DF9AD945BDEBBF8EB48320F14840AD958A7201C375A544CFA5

Function 071BD528 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 071BD58A

Memory Dump Source

Source File: 00000007.00000002.1699944220.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_71b0000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d04377b162e0e8766ce9c857cb1d96b948df67bb49157575643af87d236c6369
Instruction ID: 28b85016d86d0f37bda78190cd41b21aead4a113707470bcd3d981d4c72fe880
Opcode Fuzzy Hash: d04377b162e0e8766ce9c857cb1d96b948df67bb49157575643af87d236c6369
Instruction Fuzzy Hash: 691136B59003498FCB24DFAAC4457EEFBF5EF88324F208819D559A7280CB75A944CFA5

Function 00F1AF18 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00F1AF7E

Memory Dump Source

Source File: 00000007.00000002.1694232719.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f10000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3a4c0ff80356f32a89bac415da84b4d242ef5393e9a3d9aedd33ad650fb99025
Instruction ID: 397193357c0ecfb29e96f63033436e392b04e263e744dd74f7566fbdb22be734
Opcode Fuzzy Hash: 3a4c0ff80356f32a89bac415da84b4d242ef5393e9a3d9aedd33ad650fb99025
Instruction Fuzzy Hash: 8411E0B5C013498FCB10DF9AC444ADEFBF4EF88324F10845AD419A7211C379A545CFA5

Function 00FD00B8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 00FD1E9D

Memory Dump Source

Source File: 00000007.00000002.1694463384.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_fd0000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0ce9dc8ee7fefdf25f4425055e4fd8f8e0edb02038ea0f3c6b4056562e6e3073
Instruction ID: 15347602de8d4e922a250017090e017da22b1164fcba9d93767e3e129495a93a
Opcode Fuzzy Hash: 0ce9dc8ee7fefdf25f4425055e4fd8f8e0edb02038ea0f3c6b4056562e6e3073
Instruction Fuzzy Hash: C41125B58003089FCB10DF8AC445BDEBBF8FB48320F10841AE918A7341C374A944CFA0

Function 00C3D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1693444538.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c3d000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44e4a066aee8b79af8fe8c849294fa6c6fafdb1f5319bc7c7f41437861a4b7aa
Instruction ID: 318fb015cc7ff5ed362792028fafb047a99661e42e632ad3ad2640924b3e374b
Opcode Fuzzy Hash: 44e4a066aee8b79af8fe8c849294fa6c6fafdb1f5319bc7c7f41437861a4b7aa
Instruction Fuzzy Hash: 532137B1614240DFCB05DF14E9C0B26BF65FB98328F24C569E80B0B256C336D956DBA2

Function 00C3D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1693444538.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c3d000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75a577a39282b825c3c549bdcf13b2ea643f93a4f5a867c8871fb98b9f5c0735
Instruction ID: 33939af03ce49050306dbcfffd5263eb388ff6177e08ba1c300599ceedf463c1
Opcode Fuzzy Hash: 75a577a39282b825c3c549bdcf13b2ea643f93a4f5a867c8871fb98b9f5c0735
Instruction Fuzzy Hash: 202128B1614204DFDB05DF14E9C4B16BF65FB94324F24C569E90B0B256C336E856CBA2

Function 00C4D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1693500589.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c4d000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfaf27782528a6fdf083cfa18e2655c8afe87a980bfdcb475ca6506a84fbed27
Instruction ID: 605956bbe174aefbd1af04fd9cf894c3dcf37060889f99d27926348f34c2dea5
Opcode Fuzzy Hash: dfaf27782528a6fdf083cfa18e2655c8afe87a980bfdcb475ca6506a84fbed27
Instruction Fuzzy Hash: A121F571604200EFDB15EF14D9C4B25BBA5FB94314F24C6ADE90B4B392C376DC46CA61

Function 00C4D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1693500589.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c4d000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 757d9529954b04dbf4271a0b5598c9bc9d0c42196b7a38c235fdfa43262988e3
Instruction ID: 1135196ec3c05a833cef2de255fa0963e1b2af5d0506ab5fd1690eb735891b7e
Opcode Fuzzy Hash: 757d9529954b04dbf4271a0b5598c9bc9d0c42196b7a38c235fdfa43262988e3
Instruction Fuzzy Hash: E021D075604200DFCB14EF14D9C4B26BBA5FB94314F24C9ADE80B4B386C33AD807CA61

Function 00C4D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1693500589.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c4d000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffd784acba1f0edcdccecd2dbafad7639f958be4754ea414cf2e6b36be5f19e3
Instruction ID: 80bdc68645692e66bd0b0b89400025d4d7eb8813fb0627fe69c98c8b99937be8
Opcode Fuzzy Hash: ffd784acba1f0edcdccecd2dbafad7639f958be4754ea414cf2e6b36be5f19e3
Instruction Fuzzy Hash: 41218E755093808FCB02DF24D994715BF71FB46314F28C5EAD84A8B2A7C33A980ACB62

Function 00C3D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1693444538.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c3d000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: 06f0250f05701ac25499004ba6038733d4e61f1c4a02eef7cafddbe8c4953314
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: 4E110376504240CFCB02CF10E5C4B16BF72FB94324F24C2A9D80A0B256C33AE95ACBA1

Function 00C3D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1693444538.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c3d000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction ID: 9dc6e90e641b07ac9355ae1130e84e5a0c68bdeb7faf07ee7387297747bea65f
Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
Instruction Fuzzy Hash: 3A11E6B6504280CFCB16CF14D5C4B16BF72FB94324F24C6A9D84A0B656C336D95ACBA1

Function 00C4D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1693500589.0000000000C4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c4d000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction ID: 0d63e8b8d6931c21289950cbecdbab02210df28f17e35120ad88902e1c201b19
Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
Instruction Fuzzy Hash: D111BB75904280DFCB12DF10C5C4B15BBB2FB84324F24C6ADD84A4B296C37AD84ACB61

Function 00C3D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1693444538.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c3d000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a511ae1a03ee2c7bf6176ae99a9542497df3907ba670017533d24c4ddb224e
Instruction ID: 05f8749271946c65f413293e456a2cd2ec108ce33f7484ffed947e5dfe61edf8
Opcode Fuzzy Hash: 80a511ae1a03ee2c7bf6176ae99a9542497df3907ba670017533d24c4ddb224e
Instruction Fuzzy Hash: E201DB710143449AE7205A16ECC4B66FFD8DF52725F18C85AED1E4B28AC7799840CBB1

Function 00C3D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1693444538.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c3d000_dgKDUvhlvCiVpa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eae6f98e7eaf0bfb81c665721dc22c13d6cb8762e1ccb1b8155e6844543e4a6
Instruction ID: 21e2170cf9d25ed8677e08bcd73ba606c14989c7360f2e8807f53651d23b88b1
Opcode Fuzzy Hash: 9eae6f98e7eaf0bfb81c665721dc22c13d6cb8762e1ccb1b8155e6844543e4a6
Instruction Fuzzy Hash: 6FF0F671004340AEE7208A06EC84B62FFE8EF51734F18C45AED190F28AC379AC40CBB1

Analysis Process: MSBuild.exePID: 7292, Parent PID: 6960COMMON

Execution Graph

Execution Coverage:	7.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	84
Total number of Limit Nodes:	8

Executed Functions

Function 0155D408 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0155D496
GetCurrentThread.KERNEL32 ref: 0155D4D3
GetCurrentProcess.KERNEL32 ref: 0155D510
GetCurrentThreadId.KERNEL32 ref: 0155D569

Memory Dump Source

Source File: 0000000B.00000002.1735844020.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1550000_MSBuild.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 369003bd8f4cc1b42c708fb5cff83546e05d967c8aef7f6bc1cb3216d6490702
Instruction ID: 85e4e187695fd4b16b80bfe49dcdce72f95997c85ec56ed91f5968f2139c5893
Opcode Fuzzy Hash: 369003bd8f4cc1b42c708fb5cff83546e05d967c8aef7f6bc1cb3216d6490702
Instruction Fuzzy Hash: 3C5156B19003098FDB44DFA9D588B9EBBF1FB48319F24845AD409AB390D735A984CF65

Function 0155D418 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0155D496
GetCurrentThread.KERNEL32 ref: 0155D4D3
GetCurrentProcess.KERNEL32 ref: 0155D510
GetCurrentThreadId.KERNEL32 ref: 0155D569

Memory Dump Source

Source File: 0000000B.00000002.1735844020.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1550000_MSBuild.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 304325f7ae44b60d1a71a123d1ce97026d838d0addb7199c4207b0341345d828
Instruction ID: a35d51d3999ad5f6979003ddb5523503ed3490f8a15843e4ca06f22b8bddc5f1
Opcode Fuzzy Hash: 304325f7ae44b60d1a71a123d1ce97026d838d0addb7199c4207b0341345d828
Instruction Fuzzy Hash: ED5156B1900309CFDB54EFA9D548B9EBBF1FB48318F20845AE419AB390D774A984CF65

Function 0155AD88 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0155AFDE

Memory Dump Source

Source File: 0000000B.00000002.1735844020.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1550000_MSBuild.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 306484bf8b8551b8ad617af593788faaec2c9232a874000ba3a79053ce58270f
Instruction ID: 99b828fa94cdc8c65a67f408b398f7b4adab765694e6969499710e80b8d7a514
Opcode Fuzzy Hash: 306484bf8b8551b8ad617af593788faaec2c9232a874000ba3a79053ce58270f
Instruction Fuzzy Hash: 5A713870A00B058FDB64DF29D46475ABBF1FF88304F008A2ED99ADBA50DB75E945CB90

Function 0155D658 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0155D6E7

Memory Dump Source

Source File: 0000000B.00000002.1735844020.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1550000_MSBuild.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 02f2b1d698ff7a0b0b48395242ce0398da296a3a7bd057e68fb6ea655b0d5a96
Instruction ID: 3e649cf47335605a5449e0dece513d2e830f21555d241ddf98a84687bf2972fc
Opcode Fuzzy Hash: 02f2b1d698ff7a0b0b48395242ce0398da296a3a7bd057e68fb6ea655b0d5a96
Instruction Fuzzy Hash: 1E21E3B59002499FDB10CFAAD885ADEBFF9FB48320F14841AE918A7350C775A954CFA4

Function 0155D660 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0155D6E7

Memory Dump Source

Source File: 0000000B.00000002.1735844020.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1550000_MSBuild.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 06ebf83ebf1a670d760066169773e2e96435d9aea5bbbdd2ed404f4ec69fe492
Instruction ID: 347e0ae8adfe00b29611b1c6c85069d1cce57771b5348e03274ba9be6e264066
Opcode Fuzzy Hash: 06ebf83ebf1a670d760066169773e2e96435d9aea5bbbdd2ed404f4ec69fe492
Instruction Fuzzy Hash: 0921E0B59002499FDB10CFAAD884ADEBFF8FB48320F14841AE918A7350C374A944CFA4

Function 0155A148 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0155B059,00000800,00000000,00000000), ref: 0155B26A

Memory Dump Source

Source File: 0000000B.00000002.1735844020.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1550000_MSBuild.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 42cb8b24937b1bc5af7f3f3cda55134b600504626ccb3474da795c57a1b71b07
Instruction ID: 612c9961a73f3f3fb33c10d2e82ca53100d54e06ca9091caa3ba71d75a79e4c5
Opcode Fuzzy Hash: 42cb8b24937b1bc5af7f3f3cda55134b600504626ccb3474da795c57a1b71b07
Instruction Fuzzy Hash: 291114B6C003498FDB10DF9AC448ADEFBF5FB48310F10842AE919AB200C775A945CFA5

Function 0155B1F8 Relevance: 1.6, APIs: 1, Instructions: 54
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0155B059,00000800,00000000,00000000), ref: 0155B26A

Memory Dump Source

Source File: 0000000B.00000002.1735844020.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1550000_MSBuild.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 41fe42719b5dbeeb8df6cb22c9f10e3cbc45c70c031fde59294380f005768eb0
Instruction ID: 2af24d5fac61fe532438c6857bd905ae651c5cb3de01bf4ef5d3fe8231681e46
Opcode Fuzzy Hash: 41fe42719b5dbeeb8df6cb22c9f10e3cbc45c70c031fde59294380f005768eb0
Instruction Fuzzy Hash: DA1123B6C003098FDB10CF9AC488ADEFBF5FB88310F10852AE959AB200C775A545CFA5

Function 0155AF78 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0155AFDE

Memory Dump Source

Source File: 0000000B.00000002.1735844020.0000000001550000.00000040.00000800.00020000.00000000.sdmp, Offset: 01550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1550000_MSBuild.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6bd82f5e51993600a33501602e44d462f8f300329f7792ddfe6a2839744217e4
Instruction ID: e2add44f921e4ea83783ec6586b2ccf5f61edc2f3dc1647d2182ba7b16062d4c
Opcode Fuzzy Hash: 6bd82f5e51993600a33501602e44d462f8f300329f7792ddfe6a2839744217e4
Instruction Fuzzy Hash: 991110B5C003498FDB10CF9AC444ADEFBF4EF88324F10852AD929A7240C379A545CFA1

Function 0124D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1735365403.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_124d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d63cfd2f2b9917c9650fec84a6aa4a016629739062760a6e825e87ddf3c448
Instruction ID: 05af787c2ab8fd47948c43d39025d811c8585a0ae22ab02e143a2926c88391b0
Opcode Fuzzy Hash: e2d63cfd2f2b9917c9650fec84a6aa4a016629739062760a6e825e87ddf3c448
Instruction Fuzzy Hash: 64212575614208DFCB19DF58D8C4B16BBA5FBA4314F20C96DD90A0B342C37AD407CA61

Function 0124D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1735365403.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_124d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e9b0971248212cd418e4598a04f537456ff03b0e411d730e12232672f44b14
Instruction ID: da02ad86e5ca8702c99483095b7df661be69bb891367459996344cbdcb935043
Opcode Fuzzy Hash: 29e9b0971248212cd418e4598a04f537456ff03b0e411d730e12232672f44b14
Instruction Fuzzy Hash: D8219F755083849FCB07CF64D994B11BF71EB56314F28C5EAD9498F2A7C33A980ACB62

Analysis Process: dnshost.exePID: 7492, Parent PID: 2580COMMON

Executed Functions

Function 00E52B90 Relevance: 2.0, Instructions: 2013COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1799456874.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e50000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b9ad88b859e05d7b0fee28569bf9bc5ac60ef0abbe2d4210752ed647fa6cea5
Instruction ID: 556115a68063cf17b3ec3261735dbeea7e5ff25c5dceb51a4a09d865e760ef98
Opcode Fuzzy Hash: 4b9ad88b859e05d7b0fee28569bf9bc5ac60ef0abbe2d4210752ed647fa6cea5
Instruction Fuzzy Hash: 3B038B30A0071A9FDB11EF64CC44BA9B7B6FF89700F118695E6087B691DBB1AEC5CB50

Function 00E55A49 Relevance: 1.7, Strings: 1, Instructions: 436COMMON

Download Yara Rule

Strings

$^q, xrefs: 00E55A79

Memory Dump Source

Source File: 0000000C.00000002.1799456874.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e50000_dnshost.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 623d762330d57285ab65257f62f72902be1fa2c6e46d6d928a832965b09a6d25
Instruction ID: 70108e2978d3c6846f56932e8a20e7b29b3fe862a8b085643387d3bf1c03dd82
Opcode Fuzzy Hash: 623d762330d57285ab65257f62f72902be1fa2c6e46d6d928a832965b09a6d25
Instruction Fuzzy Hash: B6F1C631B007059FDB14DF64C954BAEB7F2BF8870AF148829D909AB295DB71EC45CB50

Function 00E517C8 Relevance: 3.9, Strings: 3, Instructions: 157COMMON

Download Yara Rule

Strings

D@, xrefs: 00E5182E
(bq, xrefs: 00E518B1
Hbq, xrefs: 00E5181D

Memory Dump Source

Source File: 0000000C.00000002.1799456874.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e50000_dnshost.jbxd

Similarity

API ID:
String ID: (bq$D@$Hbq
API String ID: 0-913811383
Opcode ID: 646ca4989342cbe02173c0b3415f2e7607b51ed73c175100328b997b40f5abd9
Instruction ID: 20587eedcf5ca2e05543b8a26a997560cd81b480d90f21f51ed7cfd30005eb56
Opcode Fuzzy Hash: 646ca4989342cbe02173c0b3415f2e7607b51ed73c175100328b997b40f5abd9
Instruction Fuzzy Hash: 2F51BE71E002489FCB08DF7998146FEBBB2EFC5311F1484BAD559E7291EB344A0ACB91

Function 00E520C8 Relevance: 2.6, Strings: 2, Instructions: 126COMMON

Download Yara Rule

Strings

$^q, xrefs: 00E52116
$^q, xrefs: 00E52122

Memory Dump Source

Source File: 0000000C.00000002.1799456874.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e50000_dnshost.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 40c0606906ef5733934190d99527c21a8278971109ea15c464077fe21017f91a
Instruction ID: 5a231faa4c21f6b35e978875eac6306223bc3dc8e646722cf6f716d839e78bb0
Opcode Fuzzy Hash: 40c0606906ef5733934190d99527c21a8278971109ea15c464077fe21017f91a
Instruction Fuzzy Hash: 0D41E3356002098FC705EF29D84496E77F2FF85311715C56AE609DB364EF70AD49CBA0

Function 00E55071 Relevance: 1.7, Strings: 1, Instructions: 420COMMON

Download Yara Rule

Strings

`Q^q, xrefs: 00E553C2

Memory Dump Source

Source File: 0000000C.00000002.1799456874.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e50000_dnshost.jbxd

Similarity

API ID:
String ID: `Q^q
API String ID: 0-1948671464
Opcode ID: 0a80235a8d0ffd439144f7225b7a016c72ddc13984eaa5977f79f9060c04156d
Instruction ID: 03a8a8695c46929a0551058312a691ee1ec355ddf017545e70455f08a5e4ab90
Opcode Fuzzy Hash: 0a80235a8d0ffd439144f7225b7a016c72ddc13984eaa5977f79f9060c04156d
Instruction Fuzzy Hash: AB21F332A042048FDB14DF64C8656AD7BF1AF89349F151869D806F7294EBB0AC49CBA1

Function 00E50848 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

4'^q, xrefs: 00E5085B

Memory Dump Source

Source File: 0000000C.00000002.1799456874.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e50000_dnshost.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 86c0cf93a9f9bc5cdebd1567034db5d0f89dc84186af9103edc6d852fff83efd
Instruction ID: b6431d170976f8e40cfc9a4aa3883e629857e2533e7ab6ea7b865b3a1037c05d
Opcode Fuzzy Hash: 86c0cf93a9f9bc5cdebd1567034db5d0f89dc84186af9103edc6d852fff83efd
Instruction Fuzzy Hash: EC41C270A002189FDB01EFB8E5447AD7BF1EF84305F108825E109AB355EF749D49CBA1

Function 00E51F70 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

tP^q, xrefs: 00E5204B

Memory Dump Source

Source File: 0000000C.00000002.1799456874.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e50000_dnshost.jbxd

Similarity

API ID:
String ID: tP^q
API String ID: 0-2862610199
Opcode ID: b7c1dbed19f787a4b43108831fba93caa594885889b42b90614d49acb6df2062
Instruction ID: ef832f5a670d9f064333d525a1bb8e18bd35af7f507a6b3dbfad266dcbc5b8d0
Opcode Fuzzy Hash: b7c1dbed19f787a4b43108831fba93caa594885889b42b90614d49acb6df2062
Instruction Fuzzy Hash: 04215A74B002158FCB48EF78C44896EB7B2AF4970972148A9E90ADF3A1DB35DC42CB91

Function 00E51F80 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

tP^q, xrefs: 00E5204B

Memory Dump Source

Source File: 0000000C.00000002.1799456874.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e50000_dnshost.jbxd

Similarity

API ID:
String ID: tP^q
API String ID: 0-2862610199
Opcode ID: 8f242b5f97c09c5ed51db22125e7595047179fbbf0e1686fbeffde4bcd2720ab
Instruction ID: fd0468316b342baa32902e63efe3649b69517e008ae63b36419c958990e6e76d
Opcode Fuzzy Hash: 8f242b5f97c09c5ed51db22125e7595047179fbbf0e1686fbeffde4bcd2720ab
Instruction Fuzzy Hash: 8F213774B002158FCB48EF78C45896EB7F2AF4971572148A9E90ADB3B1DA35DC42CB91

Function 00E55350 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

`Q^q, xrefs: 00E553C2

Memory Dump Source

Source File: 0000000C.00000002.1799456874.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e50000_dnshost.jbxd

Similarity

API ID:
String ID: `Q^q
API String ID: 0-1948671464
Opcode ID: 7cf057b8bda5f96808d92d3215776832a921391e8a8550fd386b3f14f896f39f
Instruction ID: 9ed6111a68854f218f8c98ef9aae111c16688b68fdcf532443f5a0ad023a5a7d
Opcode Fuzzy Hash: 7cf057b8bda5f96808d92d3215776832a921391e8a8550fd386b3f14f896f39f
Instruction Fuzzy Hash: FB112271A102098BDB14DF64C8216BE7BF2BF88309F104828D806B7384EF74AD48CBB1

Function 00E54C70 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1799456874.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e50000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3a57daddd6f50a1ab1c68ea5a72089805ecdf578e753ab985812bd70f50cac2
Instruction ID: 231a3371bd05944aa71d2a9e687e5b37c2e76a36ce6d56a6ac14ba9807ab4bb4
Opcode Fuzzy Hash: b3a57daddd6f50a1ab1c68ea5a72089805ecdf578e753ab985812bd70f50cac2
Instruction Fuzzy Hash: 6AA14A70200605CFCB15DF19C988A69BBF2FF45305B46C9A9D4499F6A6DB30FD89CB90

Function 00E51062 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1799456874.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e50000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d138041dc05757dcfc10d9e13e470dc0fb3e8776abc3ccd140988764c70154ba
Instruction ID: 858dcf634519ade6aa03e9843cb35c9902323052ff3537d145b5c65fa4a9ed6a
Opcode Fuzzy Hash: d138041dc05757dcfc10d9e13e470dc0fb3e8776abc3ccd140988764c70154ba
Instruction Fuzzy Hash: 78918F71D002089FCB05DFE5D944AEEBBFABF88304F14852AE505EB264DB75994ACF60

Function 00E55E30 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1799456874.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e50000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e49b99c4750d80aa10d72fccd12fc15a02639f6c43c9ef0257de1fb332ca9d8
Instruction ID: fc8ee77ea8d8b50809d7671db74c31c3b042091ddaba83e339888ccb692fcd39
Opcode Fuzzy Hash: 6e49b99c4750d80aa10d72fccd12fc15a02639f6c43c9ef0257de1fb332ca9d8
Instruction Fuzzy Hash: 9761AD31B002049FCB04DF69C894BAEBBF2BF88715F148465E905EB3A1DB71AC49CB60

Function 00E50ED7 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1799456874.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e50000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a275d9365cffb82e4ad2f16f68eb921bb1725ba6c22393f84a719e3a42c32d
Instruction ID: b5224e312c9f9270ede7a43506d18fa5123c11d576e39cdd59beca068298d32d
Opcode Fuzzy Hash: 57a275d9365cffb82e4ad2f16f68eb921bb1725ba6c22393f84a719e3a42c32d
Instruction Fuzzy Hash: 7821905382E3808FEB1646281C562A03F90D7723577752ED7E999B7193E580480DC3B2

Function 00E56068 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1799456874.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e50000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34752495c0a8bf69be45c2d944a88a4ba1ef6aa955fe890a5d8a0c1f9583bfe4
Instruction ID: d20da1a96e913d2b8f1f0010deead3f8effc16488eeef5f6ae93e742c4b13d2e
Opcode Fuzzy Hash: 34752495c0a8bf69be45c2d944a88a4ba1ef6aa955fe890a5d8a0c1f9583bfe4
Instruction Fuzzy Hash: 99112070E043489FCB21DF3D9844BAE7FB1EFC5319F1004AEE508AB282EB3259098790

Function 00E55620 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1799456874.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e50000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3ca73ce3f05d8dd174e534b8d40473d18382be0a6fdcbc86b0d67b6b84daa83
Instruction ID: 6962dd8d74f6c7128fb0a3fc614174aa769c1277ab165fcc77dcd2abe9d764be
Opcode Fuzzy Hash: b3ca73ce3f05d8dd174e534b8d40473d18382be0a6fdcbc86b0d67b6b84daa83
Instruction Fuzzy Hash: 0501D871B002308FC7159F3DE8548157BE99F8961631600A5E805DB335CE71EC0587E1

Function 00E55630 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1799456874.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e50000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1fa452b6e11cfae8935db578a932ce888ea462b65bda069c4cf041832a683dd
Instruction ID: fe9950ffe7f5c8f1b92371fde2f4c0f57ef3dcb58e2fa0370b030e6ff3c7ee81
Opcode Fuzzy Hash: b1fa452b6e11cfae8935db578a932ce888ea462b65bda069c4cf041832a683dd
Instruction Fuzzy Hash: 43F06876B101308FC758AF3DE55481A77E99F89B6631501B9E809DB324DE71EC018BE1

Function 00E55541 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1799456874.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e50000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff006911a12aa767a5ef6d0b122b6239947a24d12ac9badecd952449bdae283
Instruction ID: 00e5d905ae1d006563d1a8af4a06129d0b3b9bbd5a6051e85e63481155c4f4b5
Opcode Fuzzy Hash: 8ff006911a12aa767a5ef6d0b122b6239947a24d12ac9badecd952449bdae283
Instruction Fuzzy Hash: D2F0E9353043149FC305DB3ADC5488A7BA6EFCE321758847AE509D7361DA76AC4AC7A1

Function 00E50AA8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1799456874.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e50000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5b8a5cc9803cd1329656896b3bc8b5b1883ec31a7d0a097dc9fa0636e99024c
Instruction ID: 7fb35cc3154984d1a59da803b7a6f7674b8dfaa606c2f26841ab8ca8eaf9b212
Opcode Fuzzy Hash: d5b8a5cc9803cd1329656896b3bc8b5b1883ec31a7d0a097dc9fa0636e99024c
Instruction Fuzzy Hash: 61F0F6357003014FCB0867B1E96876B3355A780789F040838A906D73D4EEAACC88C790

Function 00E54F3C Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1799456874.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e50000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9c6282e87204d908113cbe21b554df52d68bd1e9c726a757c860d1e45577f41
Instruction ID: a7823e45d7c457191a0d29b79b71590afa228063c1361bf2619f5c0e7d10863e
Opcode Fuzzy Hash: b9c6282e87204d908113cbe21b554df52d68bd1e9c726a757c860d1e45577f41
Instruction Fuzzy Hash: 48F024B2E043049FDB04CBA898451AD7BB4EFC8305B04819BE615A7264EF740649CB40

Function 00E55550 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1799456874.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e50000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9782a692aa4e36f47513ca6e641c1e0be4f0f5622fbcde7967548f9031526ec0
Instruction ID: 74de6e836180ebad643eaf11613e3abb789cf23ef764dff3b5863c040c959e75
Opcode Fuzzy Hash: 9782a692aa4e36f47513ca6e641c1e0be4f0f5622fbcde7967548f9031526ec0
Instruction Fuzzy Hash: 1FE09B313003049FC304EB3AE84485AB7AAFBC93517148139E50EC3354DE755C4AC761

Function 00E513B0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1799456874.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e50000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9c12e1dc00f5127a196bb5900c342691494f9aaed002b212b69a31af52e818
Instruction ID: 14b4c450ec0a409abf475054ebf9833a8c166e69b91679f7d4af06e50923e6a8
Opcode Fuzzy Hash: bb9c12e1dc00f5127a196bb5900c342691494f9aaed002b212b69a31af52e818
Instruction Fuzzy Hash: 36F0F478640205CFC705EF64D258A6CBBB1EF49309F2048A9E41AAB3A1DBB99845CF01

Function 00E50F28 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1799456874.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e50000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8030850730a117678412c784f6e9ffc07dad0907c2e06e2e1230d23a18174ad9
Instruction ID: 7fb7c283dda6b3735798c9a40b25afefeeee62a34bc405a96ed6dacc3ee229dc
Opcode Fuzzy Hash: 8030850730a117678412c784f6e9ffc07dad0907c2e06e2e1230d23a18174ad9
Instruction Fuzzy Hash: DCE0927090630CDFCB41DF74DE01958BBF4EF5634572445EAD808EB251DA316E05CBA1

Function 00E50F38 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1799456874.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e50000_dnshost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a95e74dd5f93af99f03b40a8761b42390b7845bd43cf7c50a9fd545c497457
Instruction ID: 618ff8d3212d5baf82dbab75ee204ffd5962afbe9e1da82745082227b3fcd349
Opcode Fuzzy Hash: a3a95e74dd5f93af99f03b40a8761b42390b7845bd43cf7c50a9fd545c497457
Instruction Fuzzy Hash: 42D01770A0020DEFCB00EFA8EE0195DB7F9EB44205B1085A9A408E7241EA716F009B91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report fLNzmBM9hR.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

System Summary

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\DNS Host\dnshost.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MSBuild.exe_f553dd681214908324f05d7ad9ebff8e6dc2a494_1623435c_b407573d-7935-418a-89b8-f36dbc0c1682\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4924.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4963.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC6F3.tmp.dmp

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Windows Analysis Report
fLNzmBM9hR.exe

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre