Windows Analysis Report
S1qgnlqr1V.exe

Overview

General Information

Sample name:	S1qgnlqr1V.exe renamed because original name is a hash value
Original sample name:	10b98a933809918bfcdd9c1ea91edee6.exe
Analysis ID:	1544356
MD5:	10b98a933809918bfcdd9c1ea91edee6
SHA1:	4e5f1555f8030aab3e98fe7ef31c8083ba9e32f2
SHA256:	70494a9ed1d509c12c48aa4dc68f06f73bee77a18a625b576dd515e9f4e0d6c3
Tags:	32exetrojan
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nanocore RAT, NanoCore	Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.	APT33 The Gorgon Group	https://assets.virustotal.com/reports/2021trends.pdf https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack	https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: S1qgnlqr1V.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Program Files (x86)\DNS Host\dnshost.exe

Avira: detection malicious, Label: HEUR/AGEN.1305635

Found malware configuration

Source: 00000010.00000002.2191980146.00000000032A1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "a376f716-2f77-4943-a431-3a3bcb53", "Group": "CAT", "Domain1": "66.63.187.113", "Domain2": "66.63.187.113", "Port": 1664, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DNS Host\dnshost.exe

ReversingLabs: Detection: 52%

Multi AV Scanner detection for submitted file

Source: S1qgnlqr1V.exe

ReversingLabs: Detection: 52%

Yara detected Nanocore RAT

Source: Yara match	File source: 4.2.S1qgnlqr1V.exe.5584629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.42f061c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dnshost.exe.3c5adb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.S1qgnlqr1V.exe.4c4d980.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dnshost.exe.43dad70.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dnshost.exe.3c8d9d0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.42f4c45.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.42eb7e6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.S1qgnlqr1V.exe.5580000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dnshost.exe.43dad70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.S1qgnlqr1V.exe.5580000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.42f061c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dnshost.exe.3c8d9d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dnshost.exe.4366750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dnshost.exe.42f2130.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dnshost.exe.3c5adb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2192719441.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2191980146.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3614190873.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: S1qgnlqr1V.exe PID: 6672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: S1qgnlqr1V.exe PID: 5880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: S1qgnlqr1V.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 7388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: S1qgnlqr1V.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 7576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 8096, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\DNS Host\dnshost.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: S1qgnlqr1V.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: S1qgnlqr1V.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: S1qgnlqr1V.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.pdbh~ source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Xml.ni.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: Accessibility.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: rzUp.pdb source: S1qgnlqr1V.exe, dnshost.exe.4.dr
Source:	Binary string: System.ni.pdbRSDS source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Configuration.pdb` source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Xml.pdbMZ source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Configuration.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Xml.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Core.ni.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: mscorlib.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Core.pdb8 source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Windows.Forms.pdbp source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Drawing.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: mscorlib.ni.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Core.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERC346.tmp.dmp.25.dr
Source:	Binary string: rzUp.pdbSHA256 source: S1qgnlqr1V.exe, dnshost.exe.4.dr
Source:	Binary string: System.ni.pdb source: WERC346.tmp.dmp.25.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERC346.tmp.dmp.25.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49713 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49713 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49710 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49710 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49707 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49739 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49707 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49741 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49741 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49739 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49742 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49742 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49743 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49743 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49740 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49740 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49744 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49747 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49744 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49747 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2816718 - Severity 1 - ETPRO MALWARE NanoCore RAT Keep-Alive Beacon : 192.168.2.5:49707 -> 66.63.187.113:1664

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 66.63.187.113

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49707 -> 66.63.187.113:1664

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49707 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49713 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49710 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49739 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49741 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49742 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49740 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49743 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49744 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49747 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49749 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49748 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49753 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49750 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49751 -> 66.63.187.113:1664
Source: Network traffic	Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49752 -> 66.63.187.113:1664

Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown	TCP traffic detected without corresponding DNS query: 66.63.187.113

Source: S1qgnlqr1V.exe, 00000000.00000002.2080996073.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 0000000A.00000002.2135969780.0000000003332000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 0000000B.00000002.2149555917.0000000002372000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 00000013.00000002.2223301091.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.25.dr	String found in binary or memory: http://upx.sf.net

Installs a raw input device (often for capturing keystrokes)

Source: S1qgnlqr1V.exe, 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_3e37a762-f

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 4.2.S1qgnlqr1V.exe.5584629.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.42f061c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dnshost.exe.3c5adb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.S1qgnlqr1V.exe.4c4d980.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dnshost.exe.43dad70.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dnshost.exe.3c8d9d0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.42f4c45.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.42eb7e6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.S1qgnlqr1V.exe.5580000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dnshost.exe.43dad70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.S1qgnlqr1V.exe.5580000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dnshost.exe.42f061c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dnshost.exe.3c8d9d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dnshost.exe.4366750.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dnshost.exe.42f2130.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.dnshost.exe.3c5adb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2192719441.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2191980146.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3614190873.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: S1qgnlqr1V.exe PID: 6672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: S1qgnlqr1V.exe PID: 5880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: S1qgnlqr1V.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 7388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: S1qgnlqr1V.exe PID: 7560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 7576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dnshost.exe PID: 8096, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.S1qgnlqr1V.exe.5570000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 4.2.S1qgnlqr1V.exe.5570000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.S1qgnlqr1V.exe.5570000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 4.2.S1qgnlqr1V.exe.5584629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 4.2.S1qgnlqr1V.exe.5584629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.S1qgnlqr1V.exe.5584629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.2.dnshost.exe.42f061c.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.2.dnshost.exe.42f061c.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dnshost.exe.42f061c.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.dnshost.exe.3c5adb0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.dnshost.exe.3c5adb0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.dnshost.exe.3c5adb0.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dnshost.exe.3c5adb0.2.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.dnshost.exe.3c5adb0.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.dnshost.exe.43dad70.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.dnshost.exe.43dad70.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.dnshost.exe.43dad70.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dnshost.exe.43dad70.0.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 19.2.dnshost.exe.43dad70.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.dnshost.exe.3c8d9d0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.dnshost.exe.3c8d9d0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.dnshost.exe.3c8d9d0.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dnshost.exe.3c8d9d0.3.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.dnshost.exe.3c8d9d0.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.2.dnshost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.2.dnshost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dnshost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dnshost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.dnshost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.2.dnshost.exe.42f4c45.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.2.dnshost.exe.42f4c45.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dnshost.exe.42f4c45.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.2.dnshost.exe.330a2b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.2.dnshost.exe.330a2b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dnshost.exe.330a2b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.2.dnshost.exe.42eb7e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.2.dnshost.exe.42eb7e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dnshost.exe.42eb7e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dnshost.exe.42eb7e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 4.2.S1qgnlqr1V.exe.5580000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 4.2.S1qgnlqr1V.exe.5580000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.S1qgnlqr1V.exe.5580000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.dnshost.exe.43dad70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.dnshost.exe.43dad70.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.dnshost.exe.43dad70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dnshost.exe.43dad70.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 19.2.dnshost.exe.43dad70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 4.2.S1qgnlqr1V.exe.5580000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 4.2.S1qgnlqr1V.exe.5580000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.S1qgnlqr1V.exe.5580000.5.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 14.2.S1qgnlqr1V.exe.333a220.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 14.2.S1qgnlqr1V.exe.333a220.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.S1qgnlqr1V.exe.333a220.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.2.dnshost.exe.42f061c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.2.dnshost.exe.42f061c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dnshost.exe.42f061c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.dnshost.exe.3c8d9d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.dnshost.exe.3c8d9d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.dnshost.exe.3c8d9d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dnshost.exe.3c8d9d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.dnshost.exe.3c8d9d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.dnshost.exe.42f2130.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.dnshost.exe.42f2130.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.dnshost.exe.42f2130.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dnshost.exe.42f2130.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 19.2.dnshost.exe.42f2130.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.dnshost.exe.4366750.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.dnshost.exe.4366750.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.dnshost.exe.4366750.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dnshost.exe.4366750.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 19.2.dnshost.exe.4366750.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 4.2.S1qgnlqr1V.exe.2c34aa8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 4.2.S1qgnlqr1V.exe.2c34aa8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.S1qgnlqr1V.exe.2c34aa8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.dnshost.exe.3c5adb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.dnshost.exe.3c5adb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.dnshost.exe.3c5adb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.dnshost.exe.3c5adb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.dnshost.exe.3c5adb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3624998267.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000004.00000002.3624998267.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.3624998267.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.2192719441.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000010.00000002.2192719441.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.2191980146.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000010.00000002.2191980146.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.3614190873.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: S1qgnlqr1V.exe PID: 6672, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: S1qgnlqr1V.exe PID: 6672, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: S1qgnlqr1V.exe PID: 6672, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: S1qgnlqr1V.exe PID: 6672, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: S1qgnlqr1V.exe PID: 5880, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: S1qgnlqr1V.exe PID: 5880, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: S1qgnlqr1V.exe PID: 7348, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: S1qgnlqr1V.exe PID: 7348, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: S1qgnlqr1V.exe PID: 7348, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: S1qgnlqr1V.exe PID: 7348, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: dnshost.exe PID: 7388, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: dnshost.exe PID: 7388, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dnshost.exe PID: 7388, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dnshost.exe PID: 7388, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: S1qgnlqr1V.exe PID: 7560, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: S1qgnlqr1V.exe PID: 7560, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dnshost.exe PID: 7576, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: dnshost.exe PID: 7576, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dnshost.exe PID: 7576, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dnshost.exe PID: 7576, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: dnshost.exe PID: 8096, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: dnshost.exe PID: 8096, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dnshost.exe PID: 8096, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dnshost.exe PID: 8096, type: MEMORYSTR	Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A2CA8 NtQueryInformationProcess,	0_2_077A2CA8
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A2CA0 NtQueryInformationProcess,	0_2_077A2CA0
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_07642CA8 NtQueryInformationProcess,	10_2_07642CA8
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_07642CA0 NtQueryInformationProcess,	10_2_07642CA0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E42CA8 NtQueryInformationProcess,	19_2_06E42CA8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E42CA0 NtQueryInformationProcess,	19_2_06E42CA0

Detected potential crypto function

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_00C0DA8C	0_2_00C0DA8C
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A0040	0_2_077A0040
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A57D8	0_2_077A57D8
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A57D7	0_2_077A57D7
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A66F0	0_2_077A66F0
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A66E0	0_2_077A66E0
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A2578	0_2_077A2578
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077AD500	0_2_077AD500
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A001F	0_2_077A001F
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A20B8	0_2_077A20B8
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A2E28	0_2_077A2E28
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077ADD70	0_2_077ADD70
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A1C70	0_2_077A1C70
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077AFA10	0_2_077AFA10
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A6979	0_2_077A6979
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077AD938	0_2_077AD938
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077AD928	0_2_077AD928
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_077A6988	0_2_077A6988
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_0CFE18A0	0_2_0CFE18A0
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 0_2_0CFE3950	0_2_0CFE3950
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 4_2_0125D344	4_2_0125D344
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_0183DA8C	10_2_0183DA8C
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_03211A39	10_2_03211A39
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_032139C0	10_2_032139C0
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_07640040	10_2_07640040
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_076457CB	10_2_076457CB
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_076457D8	10_2_076457D8
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_0764D620	10_2_0764D620
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_0764D630	10_2_0764D630
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_076466E0	10_2_076466E0
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_076466F0	10_2_076466F0
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_07642578	10_2_07642578
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_0764D1E2	10_2_0764D1E2
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_07640006	10_2_07640006
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_076420B8	10_2_076420B8
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_07642E28	10_2_07642E28
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_0764DEA0	10_2_0764DEA0
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_07641C70	10_2_07641C70
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_0764FB40	10_2_0764FB40
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_0764DA68	10_2_0764DA68
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_07646979	10_2_07646979
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_07646988	10_2_07646988
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 11_2_02161A48	11_2_02161A48
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 11_2_021639C0	11_2_021639C0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 11_2_02161A39	11_2_02161A39
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 11_2_0220DA8C	11_2_0220DA8C
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 14_2_0153D344	14_2_0153D344
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 16_2_0174D344	16_2_0174D344
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_00EDDA8C	19_2_00EDDA8C
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E40040	19_2_06E40040
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E466E0	19_2_06E466E0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E466F0	19_2_06E466F0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E457C9	19_2_06E457C9
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E457D8	19_2_06E457D8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E42578	19_2_06E42578
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E4D500	19_2_06E4D500
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E4D0C8	19_2_06E4D0C8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E420B8	19_2_06E420B8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E4001F	19_2_06E4001F
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E42E28	19_2_06E42E28
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E41C80	19_2_06E41C80
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E4DD70	19_2_06E4DD70
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E4FA10	19_2_06E4FA10
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E46988	19_2_06E46988
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E46979	19_2_06E46979
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E4D928	19_2_06E4D928
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_06E4D938	19_2_06E4D938
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_070F3670	19_2_070F3670
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_070F15C8	19_2_070F15C8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 19_2_070F15B8	19_2_070F15B8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 20_2_016CD344	20_2_016CD344
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 20_2_05791978	20_2_05791978
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 20_2_057960C8	20_2_057960C8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 20_2_057971A0	20_2_057971A0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 20_2_057970E8	20_2_057970E8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 20_2_057960B7	20_2_057960B7

One or more processes crash

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5880 -s 1756

Sample file is different than original file name gathered from version info

Source: S1qgnlqr1V.exe, 00000000.00000000.2068245397.00000000005A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamerzUp.exe6 vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe, 00000000.00000002.2098014593.0000000009F60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe, 00000000.00000002.2079523228.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe, 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe, 00000000.00000002.2095997755.00000000076B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe, 00000004.00000002.3625707954.0000000005790000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe, 00000004.00000002.3622066100.0000000003C81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe, 00000004.00000002.3624998267.0000000005570000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe, 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe, 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe, 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe, 0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe, 0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs S1qgnlqr1V.exe
Source: S1qgnlqr1V.exe	Binary or memory string: OriginalFilenamerzUp.exe6 vs S1qgnlqr1V.exe

Uses 32bit PE files

Source: S1qgnlqr1V.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 4.2.S1qgnlqr1V.exe.5570000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 4.2.S1qgnlqr1V.exe.5570000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.S1qgnlqr1V.exe.5570000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 4.2.S1qgnlqr1V.exe.5584629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 4.2.S1qgnlqr1V.exe.5584629.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.S1qgnlqr1V.exe.5584629.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.2.dnshost.exe.42f061c.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.2.dnshost.exe.42f061c.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dnshost.exe.42f061c.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.dnshost.exe.3c5adb0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.dnshost.exe.3c5adb0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.dnshost.exe.3c5adb0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.dnshost.exe.3c5adb0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.dnshost.exe.3c5adb0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.dnshost.exe.43dad70.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.dnshost.exe.43dad70.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.dnshost.exe.43dad70.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dnshost.exe.43dad70.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 19.2.dnshost.exe.43dad70.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.dnshost.exe.3c8d9d0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.dnshost.exe.3c8d9d0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.dnshost.exe.3c8d9d0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.dnshost.exe.3c8d9d0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.dnshost.exe.3c8d9d0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.2.dnshost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.2.dnshost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.dnshost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dnshost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.dnshost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.2.dnshost.exe.42f4c45.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.2.dnshost.exe.42f4c45.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dnshost.exe.42f4c45.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.2.dnshost.exe.330a2b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.2.dnshost.exe.330a2b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dnshost.exe.330a2b8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.2.dnshost.exe.42eb7e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.2.dnshost.exe.42eb7e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.dnshost.exe.42eb7e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dnshost.exe.42eb7e6.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 4.2.S1qgnlqr1V.exe.5580000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 4.2.S1qgnlqr1V.exe.5580000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.S1qgnlqr1V.exe.5580000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.dnshost.exe.43dad70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.dnshost.exe.43dad70.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.dnshost.exe.43dad70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dnshost.exe.43dad70.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 19.2.dnshost.exe.43dad70.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 4.2.S1qgnlqr1V.exe.5580000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 4.2.S1qgnlqr1V.exe.5580000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.S1qgnlqr1V.exe.5580000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 14.2.S1qgnlqr1V.exe.333a220.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 14.2.S1qgnlqr1V.exe.333a220.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.S1qgnlqr1V.exe.333a220.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.2.dnshost.exe.42f061c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.2.dnshost.exe.42f061c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dnshost.exe.42f061c.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.dnshost.exe.3c8d9d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.dnshost.exe.3c8d9d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.dnshost.exe.3c8d9d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.dnshost.exe.3c8d9d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.dnshost.exe.3c8d9d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.dnshost.exe.42f2130.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.dnshost.exe.42f2130.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.dnshost.exe.42f2130.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dnshost.exe.42f2130.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 19.2.dnshost.exe.42f2130.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.dnshost.exe.4366750.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.dnshost.exe.4366750.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.dnshost.exe.4366750.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dnshost.exe.4366750.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 19.2.dnshost.exe.4366750.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.S1qgnlqr1V.exe.4c4d980.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 4.2.S1qgnlqr1V.exe.2c34aa8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 4.2.S1qgnlqr1V.exe.2c34aa8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.S1qgnlqr1V.exe.2c34aa8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.dnshost.exe.3c5adb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.dnshost.exe.3c5adb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.dnshost.exe.3c5adb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.dnshost.exe.3c5adb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.dnshost.exe.3c5adb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.S1qgnlqr1V.exe.4c1ad60.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3624998267.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000004.00000002.3624998267.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.3624998267.0000000005570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.2192719441.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000010.00000002.2192719441.00000000042A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.2191980146.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000010.00000002.2191980146.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.3614190873.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: S1qgnlqr1V.exe PID: 6672, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: S1qgnlqr1V.exe PID: 6672, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: S1qgnlqr1V.exe PID: 6672, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: S1qgnlqr1V.exe PID: 6672, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: S1qgnlqr1V.exe PID: 5880, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: S1qgnlqr1V.exe PID: 5880, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: S1qgnlqr1V.exe PID: 7348, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: S1qgnlqr1V.exe PID: 7348, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: S1qgnlqr1V.exe PID: 7348, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: S1qgnlqr1V.exe PID: 7348, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: dnshost.exe PID: 7388, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: dnshost.exe PID: 7388, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dnshost.exe PID: 7388, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dnshost.exe PID: 7388, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: S1qgnlqr1V.exe PID: 7560, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: S1qgnlqr1V.exe PID: 7560, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dnshost.exe PID: 7576, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: dnshost.exe PID: 7576, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dnshost.exe PID: 7576, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dnshost.exe PID: 7576, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: dnshost.exe PID: 8096, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: dnshost.exe PID: 8096, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dnshost.exe PID: 8096, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dnshost.exe PID: 8096, type: MEMORYSTR	Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research

Source: S1qgnlqr1V.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dnshost.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, --qVxXNKnhAcArgJoGGYXiyyQ--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, K2JUEsV8vEGAd8d4vV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, K2JUEsV8vEGAd8d4vV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, K2JUEsV8vEGAd8d4vV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	Security API names: _0020.AddAccessRule
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	Security API names: _0020.AddAccessRule
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.evad.winEXE@29/27@0/1

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe

File created: C:\Program Files (x86)\DNS Host

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7568:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5880
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7240:120:WilError_03
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{a376f716-2f77-4943-a431-3a3bcb53b7c0}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7304:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:764:120:WilError_03

Source: unknown	Process created: C:\Users\user\Desktop\S1qgnlqr1V.exe "C:\Users\user\Desktop\S1qgnlqr1V.exe"
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\S1qgnlqr1V.exe"
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Users\user\Desktop\S1qgnlqr1V.exe "C:\Users\user\Desktop\S1qgnlqr1V.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmp5791.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host Task" /xml "C:\Users\user\AppData\Local\Temp\tmp5BA8.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\S1qgnlqr1V.exe C:\Users\user\Desktop\S1qgnlqr1V.exe 0
Source: unknown	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe" 0
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\S1qgnlqr1V.exe"
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Users\user\Desktop\S1qgnlqr1V.exe "C:\Users\user\Desktop\S1qgnlqr1V.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5880 -s 1756
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\S1qgnlqr1V.exe"	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Users\user\Desktop\S1qgnlqr1V.exe "C:\Users\user\Desktop\S1qgnlqr1V.exe"	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmp5791.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host Task" /xml "C:\Users\user\AppData\Local\Temp\tmp5BA8.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\S1qgnlqr1V.exe"	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process created: C:\Users\user\Desktop\S1qgnlqr1V.exe "C:\Users\user\Desktop\S1qgnlqr1V.exe"	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DNS Host\dnshost.exe"	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"

Source: S1qgnlqr1V.exe, frmMain.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: S1qgnlqr1V.exe, frmMain.cs	.Net Code: InitializeComponent
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	.Net Code: sGfJNrfpRu System.Reflection.Assembly.Load(byte[])
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dqf3c4WtE_0024_0024thN5QyBMvo3u0lth2VF5hmfUsIv1r8yRkg_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs	.Net Code: _0023_003Dq_FL69pQf17BUSAFbWYu1SStMAbdu_0024R1GJ8VY8UL5_EA_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.S1qgnlqr1V.exe.44b9eb0.2.raw.unpack, --qxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecU-.cs	.Net Code: _0023_003DqKU0J1fiP8KA33eFK1owekQ_003D_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	.Net Code: sGfJNrfpRu System.Reflection.Assembly.Load(byte[])
Source: 0.2.S1qgnlqr1V.exe.3970b90.0.raw.unpack, Uo.cs	.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	.Net Code: sGfJNrfpRu System.Reflection.Assembly.Load(byte[])
Source: 0.2.S1qgnlqr1V.exe.5000000.4.raw.unpack, Uo.cs	.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: dnshost.exe.4.dr, frmMain.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: dnshost.exe.4.dr, frmMain.cs	.Net Code: InitializeComponent

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Code function: 10_2_0764B530 push es; retf		10_2_0764B580
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Code function: 20_2_057990FD push FFFFFF8Bh; iretd		20_2_057990FF

Source: S1qgnlqr1V.exe	Static PE information: section name: .text entropy: 7.976488521718555
Source: dnshost.exe.4.dr	Static PE information: section name: .text entropy: 7.976488521718555

Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, tfsLtBnipv4hjQkwWK.cs	High entropy of concatenated method names: 'rCpLes1iVi', 'ncfLcpqIr3', 'fnyL85E5FL', 'xbqLST7r6k', 'WesLiAByY4', 'ppELXgZP6U', 'zbgLt9Kgfn', 'ShCL4EEJeL', 'JOPLqaGnws', 'wLtLEguynW'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, K2JUEsV8vEGAd8d4vV.cs	High entropy of concatenated method names: 'Tkccyt0iyW', 'i9Ec1t1cf3', 'm6VcspIcMn', 'IxMcIkD6Nl', 'r2Gc6Zw7U0', 'qcocnY10d3', 'xUQcvWHDBt', 'f8bcAORJVI', 'Bw7cklQ3G2', 'qAgcm4kIQ7'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, mbDLx2M4muMvkqtp0T.cs	High entropy of concatenated method names: 'HYXL0mEjjC', 'bnxLHflyPp', 'mxoLwwkJCD', 'S9NLRrmY9q', 'rPdLyA7Wtl', 'Ae7Ljp8CPx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, dk2PC9FUOX5R5DVll3.cs	High entropy of concatenated method names: 'uP5324d5fu', 'tkC3gaBMyJ', 'V0M30h5swr', 'S9f3HQ3Q8D', 'GEx3REHgC4', 'fXT3jRuU4F', 'XGc3QIqj3c', 'wQF3r8NtUi', 'XaN3YG6ixi', 'cSW3Cck6QZ'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, kud2GY2KVaXnwhbOGk.cs	High entropy of concatenated method names: 'ToString', 'RClWCJhpo8', 'b2LWHihRb9', 'hCYWwx4VIT', 'RF2WRxLHLm', 'CZrWjZKxRL', 'OMgWTIi8kG', 'c5NWQdsTff', 'kNDWrEMAIn', 'LDCWfmVwlc'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, ojWe7AI1WluDtWcsWk.cs	High entropy of concatenated method names: 'y87Sdc2fiH', 'ghESbXkGBV', 'mqH8wvI4hu', 'ILv8RJnoKm', 'KIa8jMgv00', 'e9M8TVHyLm', 'T5w8QJoLe3', 'huQ8rn5m8p', 'Sh78fruyZY', 'eJY8YIIStY'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, TcYLxOSwmrtPThybOn.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'U5GpkZpFTv', 'DWHpmtHn4m', 'ANOpzhJr2V', 'cUJVarGa7h', 'xfbV5wojhB', 't6eVpmbls7', 'MOtVVh6Bl6', 'C8NDM8CKGYoGkYZN4Wn'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, knxd5wjEF9X4i9DapQ.cs	High entropy of concatenated method names: 'iufiOUb1RS', 'Gn2icWS0oR', 'FdGiSUR5LF', 'vvUiX1mt5W', 'GgyitMBbmk', 'eT2S6WFbIy', 'UTjSn1yRRu', 'A9nSvYRrg1', 'jUySANwj1T', 'uWYSkVeMki'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, ENMPCHbhAhKW3pvi0f.cs	High entropy of concatenated method names: 'Dispose', 'QCG5k49nTA', 'x6DpHopXwV', 'iixFFFOBEp', 'mxx5m3ZeBX', 'qIH5zVls6n', 'ProcessDialogKey', 'BqYpay67tM', 'ttyp5AUoI9', 'CnhppoktPa'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, jX2CVEl3uFgvd1jOmA.cs	High entropy of concatenated method names: 'cYa5XEQ60U', 'NAF5tbIVm5', 'U4M5q9cPc5', 'GlU5E2OaeY', 'uAN5hlo592', 'ScO5WCamHY', 'vr0p6Gd6ZvJWLmmjok', 'AIJCDycRUdISyNggdl', 'gHZ55me4wM', 'rMX5V5J7xA'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, BPKnnDffFa2YjtZVLG.cs	High entropy of concatenated method names: 'd1qXZ7grhY', 'QrsXlhOxh0', 'KIqXNq9Y5m', 'FwkXouP7ng', 'iXWXdYxFdY', 'QI3XKwsTE7', 'u5NXbCYiZh', 'HT8X2yYVeL', 'kHvXgGhVvO', 'DXSX74y1oL'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	High entropy of concatenated method names: 'T2KVOZbL50', 'cOeVevgKTn', 'bu2VcgFAAZ', 'KArV8LNvA9', 'A94VSUYdnA', 'DboViLsJMT', 'NP8VX3YPCF', 'nlkVtT8OuV', 'QSeV4TxUlm', 'kwxVq1gqeI'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, MeayWckdWGgmOsBXYw.cs	High entropy of concatenated method names: 'bdiCjHW3WsrBmhBZlek', 'bQVvJKWDjZTEMMMOpUa', 'ckfiL987dw', 'X92i95rYgo', 'D8jiuiZNYd', 'hvFrSlW70ThyvFkGnp3', 'DQbYptWUX8VKAUA1wnQ'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, bYNHCU7QUk9nHbKvNn.cs	High entropy of concatenated method names: 'LHlhYfoPem', 'RcmhB9qtei', 'UiyhyqoqXX', 'eGSh18eo5D', 'NaFhH5E4lP', 'uK4hwN83cG', 's2PhROQy7U', 'HBEhj2AA6s', 'hyyhTMWopk', 'iOThQmL8qC'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, kb5pD3tMfSNaKoT475.cs	High entropy of concatenated method names: 'Tx9NJNW8A', 'gC8oBi0HG', 'X2wKvF4gZ', 'KYVblNspQ', 'DsRgvPMY5', 'eH07JNxX2', 'nqWhq5rbrnJ2S3ay5M', 'SRNeZaRgdNtD7evR1g', 'VKHLIdNGu', 'bcWuJYITB'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, hFWeYe6lVJGfrJbyXJ.cs	High entropy of concatenated method names: 'rZEDAZqJcX', 'ybpDmfePvI', 'mfJLaBeNMv', 'X2hL5oF1Hk', 'WEEDCOVH0s', 'z0oDBGnSl3', 'rc8DUUr3i5', 'ccWDyWBuqR', 'MCGD114tVU', 'wXBDsn5XkA'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, QJBxB9idte0niQEnqXO.cs	High entropy of concatenated method names: 'H0W9Z7bkUx', 'qF79lkK1IA', 'JwB9N1xWGc', 'FcD9oa9HQW', 'wIF9dhph6H', 'K9u9K3rnas', 'jtA9bmBvP8', 'YbI928JX6I', 'UaN9gjPW5g', 'KBs97NAEI7'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, lZWXKMBwXHDXteLcFe.cs	High entropy of concatenated method names: 'pEaXeSckWZ', 'oWuX8ENa5m', 'k5bXi61yeX', 'QuAimb73ov', 'pSPizAD1ZU', 'pYRXas6oIi', 'bYjX5dLs7T', 'c4DXprBbfm', 'cYuXVRe93O', 'N6JXJS0itW'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, RGm6Xkv8Ze1P2qvYYe.cs	High entropy of concatenated method names: 'JL78oKuRjO', 'nLf8Kl8OFK', 'I4L82V34He', 'mg38giO1cP', 'u4a8h5IwAO', 'EL48WIXjHo', 'Qak8DecFU5', 'XHt8L7NiME', 'oNE89veURC', 'cZa8u9TmCq'
Source: 0.2.S1qgnlqr1V.exe.43d1270.1.raw.unpack, l4TJewwOvHe5WqvLHB.cs	High entropy of concatenated method names: 'mSH95fR2FF', 'oGk9Vn1D94', 'hUO9JVdEVF', 'hDx9elJjQB', 'ISy9ciKeth', 'Tke9S73KDd', 'wUQ9ig5YVG', 'SkxLvOETIF', 'Dr0LAXi0LR', 'NrSLkJgaXD'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, tfsLtBnipv4hjQkwWK.cs	High entropy of concatenated method names: 'rCpLes1iVi', 'ncfLcpqIr3', 'fnyL85E5FL', 'xbqLST7r6k', 'WesLiAByY4', 'ppELXgZP6U', 'zbgLt9Kgfn', 'ShCL4EEJeL', 'JOPLqaGnws', 'wLtLEguynW'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, K2JUEsV8vEGAd8d4vV.cs	High entropy of concatenated method names: 'Tkccyt0iyW', 'i9Ec1t1cf3', 'm6VcspIcMn', 'IxMcIkD6Nl', 'r2Gc6Zw7U0', 'qcocnY10d3', 'xUQcvWHDBt', 'f8bcAORJVI', 'Bw7cklQ3G2', 'qAgcm4kIQ7'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, mbDLx2M4muMvkqtp0T.cs	High entropy of concatenated method names: 'HYXL0mEjjC', 'bnxLHflyPp', 'mxoLwwkJCD', 'S9NLRrmY9q', 'rPdLyA7Wtl', 'Ae7Ljp8CPx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, dk2PC9FUOX5R5DVll3.cs	High entropy of concatenated method names: 'uP5324d5fu', 'tkC3gaBMyJ', 'V0M30h5swr', 'S9f3HQ3Q8D', 'GEx3REHgC4', 'fXT3jRuU4F', 'XGc3QIqj3c', 'wQF3r8NtUi', 'XaN3YG6ixi', 'cSW3Cck6QZ'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, kud2GY2KVaXnwhbOGk.cs	High entropy of concatenated method names: 'ToString', 'RClWCJhpo8', 'b2LWHihRb9', 'hCYWwx4VIT', 'RF2WRxLHLm', 'CZrWjZKxRL', 'OMgWTIi8kG', 'c5NWQdsTff', 'kNDWrEMAIn', 'LDCWfmVwlc'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, ojWe7AI1WluDtWcsWk.cs	High entropy of concatenated method names: 'y87Sdc2fiH', 'ghESbXkGBV', 'mqH8wvI4hu', 'ILv8RJnoKm', 'KIa8jMgv00', 'e9M8TVHyLm', 'T5w8QJoLe3', 'huQ8rn5m8p', 'Sh78fruyZY', 'eJY8YIIStY'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, TcYLxOSwmrtPThybOn.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'U5GpkZpFTv', 'DWHpmtHn4m', 'ANOpzhJr2V', 'cUJVarGa7h', 'xfbV5wojhB', 't6eVpmbls7', 'MOtVVh6Bl6', 'C8NDM8CKGYoGkYZN4Wn'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, knxd5wjEF9X4i9DapQ.cs	High entropy of concatenated method names: 'iufiOUb1RS', 'Gn2icWS0oR', 'FdGiSUR5LF', 'vvUiX1mt5W', 'GgyitMBbmk', 'eT2S6WFbIy', 'UTjSn1yRRu', 'A9nSvYRrg1', 'jUySANwj1T', 'uWYSkVeMki'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, ENMPCHbhAhKW3pvi0f.cs	High entropy of concatenated method names: 'Dispose', 'QCG5k49nTA', 'x6DpHopXwV', 'iixFFFOBEp', 'mxx5m3ZeBX', 'qIH5zVls6n', 'ProcessDialogKey', 'BqYpay67tM', 'ttyp5AUoI9', 'CnhppoktPa'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, jX2CVEl3uFgvd1jOmA.cs	High entropy of concatenated method names: 'cYa5XEQ60U', 'NAF5tbIVm5', 'U4M5q9cPc5', 'GlU5E2OaeY', 'uAN5hlo592', 'ScO5WCamHY', 'vr0p6Gd6ZvJWLmmjok', 'AIJCDycRUdISyNggdl', 'gHZ55me4wM', 'rMX5V5J7xA'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, BPKnnDffFa2YjtZVLG.cs	High entropy of concatenated method names: 'd1qXZ7grhY', 'QrsXlhOxh0', 'KIqXNq9Y5m', 'FwkXouP7ng', 'iXWXdYxFdY', 'QI3XKwsTE7', 'u5NXbCYiZh', 'HT8X2yYVeL', 'kHvXgGhVvO', 'DXSX74y1oL'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	High entropy of concatenated method names: 'T2KVOZbL50', 'cOeVevgKTn', 'bu2VcgFAAZ', 'KArV8LNvA9', 'A94VSUYdnA', 'DboViLsJMT', 'NP8VX3YPCF', 'nlkVtT8OuV', 'QSeV4TxUlm', 'kwxVq1gqeI'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, MeayWckdWGgmOsBXYw.cs	High entropy of concatenated method names: 'bdiCjHW3WsrBmhBZlek', 'bQVvJKWDjZTEMMMOpUa', 'ckfiL987dw', 'X92i95rYgo', 'D8jiuiZNYd', 'hvFrSlW70ThyvFkGnp3', 'DQbYptWUX8VKAUA1wnQ'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, bYNHCU7QUk9nHbKvNn.cs	High entropy of concatenated method names: 'LHlhYfoPem', 'RcmhB9qtei', 'UiyhyqoqXX', 'eGSh18eo5D', 'NaFhH5E4lP', 'uK4hwN83cG', 's2PhROQy7U', 'HBEhj2AA6s', 'hyyhTMWopk', 'iOThQmL8qC'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, kb5pD3tMfSNaKoT475.cs	High entropy of concatenated method names: 'Tx9NJNW8A', 'gC8oBi0HG', 'X2wKvF4gZ', 'KYVblNspQ', 'DsRgvPMY5', 'eH07JNxX2', 'nqWhq5rbrnJ2S3ay5M', 'SRNeZaRgdNtD7evR1g', 'VKHLIdNGu', 'bcWuJYITB'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, hFWeYe6lVJGfrJbyXJ.cs	High entropy of concatenated method names: 'rZEDAZqJcX', 'ybpDmfePvI', 'mfJLaBeNMv', 'X2hL5oF1Hk', 'WEEDCOVH0s', 'z0oDBGnSl3', 'rc8DUUr3i5', 'ccWDyWBuqR', 'MCGD114tVU', 'wXBDsn5XkA'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, QJBxB9idte0niQEnqXO.cs	High entropy of concatenated method names: 'H0W9Z7bkUx', 'qF79lkK1IA', 'JwB9N1xWGc', 'FcD9oa9HQW', 'wIF9dhph6H', 'K9u9K3rnas', 'jtA9bmBvP8', 'YbI928JX6I', 'UaN9gjPW5g', 'KBs97NAEI7'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, lZWXKMBwXHDXteLcFe.cs	High entropy of concatenated method names: 'pEaXeSckWZ', 'oWuX8ENa5m', 'k5bXi61yeX', 'QuAimb73ov', 'pSPizAD1ZU', 'pYRXas6oIi', 'bYjX5dLs7T', 'c4DXprBbfm', 'cYuXVRe93O', 'N6JXJS0itW'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, RGm6Xkv8Ze1P2qvYYe.cs	High entropy of concatenated method names: 'JL78oKuRjO', 'nLf8Kl8OFK', 'I4L82V34He', 'mg38giO1cP', 'u4a8h5IwAO', 'EL48WIXjHo', 'Qak8DecFU5', 'XHt8L7NiME', 'oNE89veURC', 'cZa8u9TmCq'
Source: 0.2.S1qgnlqr1V.exe.4445890.3.raw.unpack, l4TJewwOvHe5WqvLHB.cs	High entropy of concatenated method names: 'mSH95fR2FF', 'oGk9Vn1D94', 'hUO9JVdEVF', 'hDx9elJjQB', 'ISy9ciKeth', 'Tke9S73KDd', 'wUQ9ig5YVG', 'SkxLvOETIF', 'Dr0LAXi0LR', 'NrSLkJgaXD'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, tfsLtBnipv4hjQkwWK.cs	High entropy of concatenated method names: 'rCpLes1iVi', 'ncfLcpqIr3', 'fnyL85E5FL', 'xbqLST7r6k', 'WesLiAByY4', 'ppELXgZP6U', 'zbgLt9Kgfn', 'ShCL4EEJeL', 'JOPLqaGnws', 'wLtLEguynW'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, K2JUEsV8vEGAd8d4vV.cs	High entropy of concatenated method names: 'Tkccyt0iyW', 'i9Ec1t1cf3', 'm6VcspIcMn', 'IxMcIkD6Nl', 'r2Gc6Zw7U0', 'qcocnY10d3', 'xUQcvWHDBt', 'f8bcAORJVI', 'Bw7cklQ3G2', 'qAgcm4kIQ7'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, mbDLx2M4muMvkqtp0T.cs	High entropy of concatenated method names: 'HYXL0mEjjC', 'bnxLHflyPp', 'mxoLwwkJCD', 'S9NLRrmY9q', 'rPdLyA7Wtl', 'Ae7Ljp8CPx', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, dk2PC9FUOX5R5DVll3.cs	High entropy of concatenated method names: 'uP5324d5fu', 'tkC3gaBMyJ', 'V0M30h5swr', 'S9f3HQ3Q8D', 'GEx3REHgC4', 'fXT3jRuU4F', 'XGc3QIqj3c', 'wQF3r8NtUi', 'XaN3YG6ixi', 'cSW3Cck6QZ'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, kud2GY2KVaXnwhbOGk.cs	High entropy of concatenated method names: 'ToString', 'RClWCJhpo8', 'b2LWHihRb9', 'hCYWwx4VIT', 'RF2WRxLHLm', 'CZrWjZKxRL', 'OMgWTIi8kG', 'c5NWQdsTff', 'kNDWrEMAIn', 'LDCWfmVwlc'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, ojWe7AI1WluDtWcsWk.cs	High entropy of concatenated method names: 'y87Sdc2fiH', 'ghESbXkGBV', 'mqH8wvI4hu', 'ILv8RJnoKm', 'KIa8jMgv00', 'e9M8TVHyLm', 'T5w8QJoLe3', 'huQ8rn5m8p', 'Sh78fruyZY', 'eJY8YIIStY'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, TcYLxOSwmrtPThybOn.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'U5GpkZpFTv', 'DWHpmtHn4m', 'ANOpzhJr2V', 'cUJVarGa7h', 'xfbV5wojhB', 't6eVpmbls7', 'MOtVVh6Bl6', 'C8NDM8CKGYoGkYZN4Wn'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, knxd5wjEF9X4i9DapQ.cs	High entropy of concatenated method names: 'iufiOUb1RS', 'Gn2icWS0oR', 'FdGiSUR5LF', 'vvUiX1mt5W', 'GgyitMBbmk', 'eT2S6WFbIy', 'UTjSn1yRRu', 'A9nSvYRrg1', 'jUySANwj1T', 'uWYSkVeMki'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, ENMPCHbhAhKW3pvi0f.cs	High entropy of concatenated method names: 'Dispose', 'QCG5k49nTA', 'x6DpHopXwV', 'iixFFFOBEp', 'mxx5m3ZeBX', 'qIH5zVls6n', 'ProcessDialogKey', 'BqYpay67tM', 'ttyp5AUoI9', 'CnhppoktPa'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, jX2CVEl3uFgvd1jOmA.cs	High entropy of concatenated method names: 'cYa5XEQ60U', 'NAF5tbIVm5', 'U4M5q9cPc5', 'GlU5E2OaeY', 'uAN5hlo592', 'ScO5WCamHY', 'vr0p6Gd6ZvJWLmmjok', 'AIJCDycRUdISyNggdl', 'gHZ55me4wM', 'rMX5V5J7xA'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, BPKnnDffFa2YjtZVLG.cs	High entropy of concatenated method names: 'd1qXZ7grhY', 'QrsXlhOxh0', 'KIqXNq9Y5m', 'FwkXouP7ng', 'iXWXdYxFdY', 'QI3XKwsTE7', 'u5NXbCYiZh', 'HT8X2yYVeL', 'kHvXgGhVvO', 'DXSX74y1oL'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, H4CSQ1Nx2HfkRkLYUK.cs	High entropy of concatenated method names: 'T2KVOZbL50', 'cOeVevgKTn', 'bu2VcgFAAZ', 'KArV8LNvA9', 'A94VSUYdnA', 'DboViLsJMT', 'NP8VX3YPCF', 'nlkVtT8OuV', 'QSeV4TxUlm', 'kwxVq1gqeI'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, MeayWckdWGgmOsBXYw.cs	High entropy of concatenated method names: 'bdiCjHW3WsrBmhBZlek', 'bQVvJKWDjZTEMMMOpUa', 'ckfiL987dw', 'X92i95rYgo', 'D8jiuiZNYd', 'hvFrSlW70ThyvFkGnp3', 'DQbYptWUX8VKAUA1wnQ'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, bYNHCU7QUk9nHbKvNn.cs	High entropy of concatenated method names: 'LHlhYfoPem', 'RcmhB9qtei', 'UiyhyqoqXX', 'eGSh18eo5D', 'NaFhH5E4lP', 'uK4hwN83cG', 's2PhROQy7U', 'HBEhj2AA6s', 'hyyhTMWopk', 'iOThQmL8qC'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, kb5pD3tMfSNaKoT475.cs	High entropy of concatenated method names: 'Tx9NJNW8A', 'gC8oBi0HG', 'X2wKvF4gZ', 'KYVblNspQ', 'DsRgvPMY5', 'eH07JNxX2', 'nqWhq5rbrnJ2S3ay5M', 'SRNeZaRgdNtD7evR1g', 'VKHLIdNGu', 'bcWuJYITB'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, hFWeYe6lVJGfrJbyXJ.cs	High entropy of concatenated method names: 'rZEDAZqJcX', 'ybpDmfePvI', 'mfJLaBeNMv', 'X2hL5oF1Hk', 'WEEDCOVH0s', 'z0oDBGnSl3', 'rc8DUUr3i5', 'ccWDyWBuqR', 'MCGD114tVU', 'wXBDsn5XkA'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, QJBxB9idte0niQEnqXO.cs	High entropy of concatenated method names: 'H0W9Z7bkUx', 'qF79lkK1IA', 'JwB9N1xWGc', 'FcD9oa9HQW', 'wIF9dhph6H', 'K9u9K3rnas', 'jtA9bmBvP8', 'YbI928JX6I', 'UaN9gjPW5g', 'KBs97NAEI7'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, lZWXKMBwXHDXteLcFe.cs	High entropy of concatenated method names: 'pEaXeSckWZ', 'oWuX8ENa5m', 'k5bXi61yeX', 'QuAimb73ov', 'pSPizAD1ZU', 'pYRXas6oIi', 'bYjX5dLs7T', 'c4DXprBbfm', 'cYuXVRe93O', 'N6JXJS0itW'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, RGm6Xkv8Ze1P2qvYYe.cs	High entropy of concatenated method names: 'JL78oKuRjO', 'nLf8Kl8OFK', 'I4L82V34He', 'mg38giO1cP', 'u4a8h5IwAO', 'EL48WIXjHo', 'Qak8DecFU5', 'XHt8L7NiME', 'oNE89veURC', 'cZa8u9TmCq'
Source: 0.2.S1qgnlqr1V.exe.9f60000.5.raw.unpack, l4TJewwOvHe5WqvLHB.cs	High entropy of concatenated method names: 'mSH95fR2FF', 'oGk9Vn1D94', 'hUO9JVdEVF', 'hDx9elJjQB', 'ISy9ciKeth', 'Tke9S73KDd', 'wUQ9ig5YVG', 'SkxLvOETIF', 'Dr0LAXi0LR', 'NrSLkJgaXD'

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run DNS Host			Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run DNS Host			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 2950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 78F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 88F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 8AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 6AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 9FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: AFE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: BFE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 1210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 2C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 2B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 17F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 3300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 3200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 78F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 88F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 8A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 9A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: A450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: B450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 2150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 2340000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 2150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 6BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 7BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 7D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 8D30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 9660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: A660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 1530000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 32D0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory allocated: 3220000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 1720000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 32A0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 52A0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: ED0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 2870000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 4870000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 7170000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 8170000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 8310000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 9310000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 9AC0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: AAC0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: BAC0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 16C0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 3140000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory allocated: 5140000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4920	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1234	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Window / User API: threadDelayed 6372	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Window / User API: threadDelayed 3187	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Window / User API: foregroundWindowGot 1197	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4829
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6022

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe TID: 6412	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7292	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7212	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe TID: 7380	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe TID: 7384	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe TID: 7408	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7812	Thread sleep count: 4829 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7904	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7788	Thread sleep count: 223 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7860	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7816	Thread sleep count: 6022 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7908	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7816	Thread sleep count: 269 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7852	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe TID: 7644	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DNS Host\dnshost.exe TID: 7668	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DNS Host\dnshost.exe TID: 8116	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DNS Host\dnshost.exe TID: 8176	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: Amcache.hve.25.dr	Binary or memory string: VMware
Source: S1qgnlqr1V.exe, 00000000.00000002.2079523228.0000000000CF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\X
Source: Amcache.hve.25.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.25.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.25.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.25.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.25.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.25.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.25.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: dnshost.exe, 0000000B.00000002.2135782497.0000000000761000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Amcache.hve.25.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.25.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.25.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.25.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: S1qgnlqr1V.exe, 00000004.00000002.3627593485.0000000006740000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.25.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.25.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: dnshost.exe, 0000000B.00000002.2135782497.0000000000761000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.25.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.25.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.25.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.25.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.25.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.25.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.25.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.25.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.25.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.25.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.25.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.25.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.25.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.25.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.25.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory written: C:\Users\user\Desktop\S1qgnlqr1V.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\S1qgnlqr1V.exe	Memory written: C:\Users\user\Desktop\S1qgnlqr1V.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory written: C:\Program Files (x86)\DNS Host\dnshost.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe	Memory written: C:\Program Files (x86)\DNS Host\dnshost.exe base: 400000 value starts with: 4D5A

Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqLJ
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq0.
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqdc
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002F93000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq0
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq4
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqlh
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqTP
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqtq
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq8
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.000000000313F000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager0
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq<
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.000000000311F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq$
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D63000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqlW
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000003173000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq(
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000003181000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager4p
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqXA
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002F93000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq,
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqU
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqT
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqX
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq`w
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq\
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqL[
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.000000000311F000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000003181000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq@
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.00000000031A5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqTd
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq,=
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqH
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqpw
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq$,
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqL
Source: S1qgnlqr1V.exe, 00000004.00000002.3628646108.000000000703D000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager\|
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002F93000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqp
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqd#
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqt
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D63000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000003173000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqs
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqx
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq4k
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqp'
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq\|.
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq\|
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqp%
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq`
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq4c
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq@j
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqd
Source: S1qgnlqr1V.exe, 00000004.00000002.3623292397.000000000517E000.00000004.00000010.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3628182909.0000000006DFD000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program ManagerR
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqh
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002F93000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjql
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqTx
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqD#
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqP0
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqd7
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqpE
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjqd0
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002F93000.00000004.00000800.00020000.00000000.sdmp, S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerlBjq
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq,q
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002D97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLRjq\!

Source: Amcache.hve.25.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.25.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.25.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.25.dr	Binary or memory string: MsMpEng.exe

Source: S1qgnlqr1V.exe, 00000000.00000002.2084110983.00000000041EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: S1qgnlqr1V.exe, 00000004.00000002.3614190873.0000000002C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: S1qgnlqr1V.exe, 00000004.00000002.3624998267.0000000005570000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: S1qgnlqr1V.exe, 00000004.00000002.3624998267.0000000005570000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: S1qgnlqr1V.exe, 00000004.00000002.3625042713.0000000005580000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: S1qgnlqr1V.exe, 0000000A.00000002.2139186404.0000000004B9C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dnshost.exe, 0000000B.00000002.2153913266.0000000003BDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: S1qgnlqr1V.exe, 0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: S1qgnlqr1V.exe, 0000000E.00000002.2194703045.00000000032D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dnshost.exe, 00000010.00000002.2191980146.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dnshost.exe, 00000010.00000002.2191980146.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dnshost.exe, 00000010.00000002.2188060482.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dnshost.exe, 00000010.00000002.2192719441.00000000042A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dnshost.exe, 00000010.00000002.2192719441.00000000042A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dnshost.exe, 00000013.00000002.2225931176.000000000410B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

ID:	1544356
Product:	CloudBasic
Start time:	10:15:10
Start date:	29.10.2024
Sample:	S1qgnlqr1V.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	10b98a933809918bfcdd9c1ea91edee6
SHA1:	4e5f1555f8030aab3e98fe7ef31c8083ba9e32f2
SHA256:	70494a9ed1d509c12c48aa4dc68f06f73bee77a18a625b576dd515e9f4e0d6c3
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Windows Analysis Report S1qgnlqr1V.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
S1qgnlqr1V.exe

Malware Threat Intel
Provided by

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\DNS Host\dnshost.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	10B98A933809918BFCDD9C1EA91EDEE6	4E5F1555F8030AAB3E98FE7EF31C8083BA9E32F2	70494A9ED1D509C12C48AA4DC68F06F73BEE77A18A625B576DD515E9F4E0D6C3
C:\Program Files (x86)\DNS Host\dnshost.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_S1qgnlqr1V.exe_154b5bc2c27c2c66339f0b82a5790485a67d77_77b60c57_56b8f93c-6740-4b23-892a-7c4176431c0b\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	8C62ECBFF088EE9AAF5792C25104B673	D95EE7520DB33A8AE1AB309671181F94AEF8466F	92847965BB3F9879D65DF4895796CE2EF81611B7E44D6A2BEB0352214FA5B176
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6553.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	52F6DECDC1FE46A973EECB3927BA0ED8	1D8FDD7AD42998B7E755BE9B84A7A6ACF93AE5D8	316525D8926191E8DEABD34E19C35828BF897C178DFEBAC6599E96D5C2A0C095
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6583.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	D1642E09B0AE0C35BF42330C2C184D98	561061E25FC01AF19132785D0545C94FCCE8482C	B6A79EBCA3914DBFB62A069A59473CEC7C103AC44C1453C0F4DFF46C1F481D28
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC346.tmp.dmp	Mini DuMP crash report, 15 streams, Tue Oct 29 09:18:21 2024, 0x1205a4 type	BBD0AB186598C8AB6D557B41A35EC1CA	E8676202CE3ACC67A0FF650137B1E0C10FC9411D	3C19CBBD14996664CF7978966F238823A1F06C3C162E2477DEE38F7CF0B1E816
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\S1qgnlqr1V.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dnshost.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	453075887941F85A80949CDBA8D49A8B	7B31CA484A80AA32BCC06FC3511547BCB1413826	84466098E76D1CF4D262F2CC01560C765FE842F8901EEE78B2F74609512737F8
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3p3ul2mh.cvw.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ew4cfgm.cmq.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4o20lfje.dzr.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dfbfqfap.5mo.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_guctlh1m.ked.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jcttykkr.kgg.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lxynaech.udj.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lyaytfz0.uww.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_omybhyip.jhh.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wj5e1saj.hif.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x0xjcvet.dmh.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y1kg522k.22f.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\tmp5791.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	ED4382E09E893D70919BF29B2E64629A	2EC538E1FE21292DBCF7AB2A8975C9BE0E1897C1	CF997833A757EE0A2AFA321DDC21392EC18C800FCF723AC629268DD4CFEC9517
C:\Users\user\AppData\Local\Temp\tmp5BA8.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	CFD32F0E8DBE9B358E7445116E8FC086	00D89923A223372FAC166743853397ABD974825B	3662F5D5D156CFA337FF07F335FC9D34B46E66DB3A7A2CF69C820DD4BA273ADD
C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\catalog.dat	data	9E7D0351E4DF94A9B0BADCEB6A9DB963	76C6A69B1C31CEA2014D1FD1E222A3DD1E433005	AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\run.dat	data	FBCB48D4D35E47AB9407449CC913E392	B739A2CE14E01D7849823CC21D3B4C603D69C229	024DD6102C51F17B53C3FA35040C626B84DDBDD1988A141A2D33255D2A3514A2
C:\Users\user\AppData\Roaming\9E146BE9-C76A-4720-BCDB-53011B87BD06\task.dat	ASCII text, with no line terminators	CAD1EBC97007DB489530F47D2F5F946F	4B6C2002C3360118808243A23FAB180133B05BB7	DD4D8F98C1265DD046EFE86FB7B5D400A76BCF022D12C915DFFC311F4BE84B27
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	19741B3E1774CC2E86969B3089647D04	9271B11DEE1DD32F0C697B55D9385AC7C4F42393	5ED8F031EC318A228F7A8063DB40F16F6BE3FB30EC9DEEB947FCACFE79A10FE3