Windows Analysis Report
nD2ozRD7MN.exe

Overview

General Information

Sample name: nD2ozRD7MN.exe
renamed because original name is a hash value
Original sample name: 8e2827146c4c433affba78c88fd685db.exe
Analysis ID: 1546575
MD5: 8e2827146c4c433affba78c88fd685db
SHA1: de632114a70a9ad4b16ed686e48477f398531ae0
SHA256: 058e2c02b8cfb93b480ea8cfac08e967b39631a579256ebee27fb7472194c1ea
Tags: 32exe
Infos:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://google.com URL Reputation: Label: malware
Source: http://google.com URL Reputation: Label: malware
Found malware configuration
Source: 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "a376f716-2f77-4943-a431-3a3bcb53", "Group": "CAT", "Domain1": "66.63.187.113", "Domain2": "66.63.187.113", "Port": 1664, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
Multi AV Scanner detection for domain / URL
Source: 66.63.187.113 Virustotal: Detection: 8% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\DNS Host\dnshost.exe ReversingLabs: Detection: 50%
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Virustotal: Detection: 38% Perma Link
Multi AV Scanner detection for submitted file
Source: nD2ozRD7MN.exe ReversingLabs: Detection: 50%
Source: nD2ozRD7MN.exe Virustotal: Detection: 38% Perma Link
Yara detected Nanocore RAT
Source: Yara match File source: 5.2.nD2ozRD7MN.exe.5cd0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.nD2ozRD7MN.exe.3c84c45.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.nD2ozRD7MN.exe.3c8061c.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nD2ozRD7MN.exe.5cd0000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nD2ozRD7MN.exe.5cd4629.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.nD2ozRD7MN.exe.3c8061c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2136851578.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3543198585.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: nD2ozRD7MN.exe PID: 1892, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nD2ozRD7MN.exe PID: 5016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nD2ozRD7MN.exe PID: 7288, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nD2ozRD7MN.exe PID: 7456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dnshost.exe PID: 7800, type: MEMORYSTR
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: nD2ozRD7MN.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: nD2ozRD7MN.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: nD2ozRD7MN.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: System.Xml.ni.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: MyClientPlugin.pdblt source: WER3715.tmp.dmp.25.dr
Source: Binary string: NanoCoreStressTester.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: Accessibility.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: FileBrowserClient.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.ni.pdbRSDS source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.Management.pdbu source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.Configuration.ni.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.Configuration.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: nD2ozRD7MN.exe, 00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: nD2ozRD7MN.exe, 00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: Accessibility.pdbP source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.Core.ni.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.Configuration.pdbt^ source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.Windows.Forms.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: mscorlib.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: NanoCoreStressTester.pdbxX source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.Drawing.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.Management.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: mscorlib.ni.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.Management.ni.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: nD2ozRD7MN.exe, 00000005.00000002.3557822095.0000000007860000.00000004.08000000.00040000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: MyClientPluginNew.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: MyClientPlugin.pdbL0 source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER3715.tmp.dmp.25.dr
Source: Binary string: MyClientPlugin.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.ni.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: NanoCoreBase.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: nD2ozRD7MN.exe, 00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.pdby source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER3715.tmp.dmp.25.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 4x nop then jmp 082B21B6h 0_2_082B1667
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 4x nop then jmp 082B21B6h 0_2_082B16E2
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 5_2_078E5580
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 5_2_078E5570
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 4x nop then jmp 025A21B6h 9_2_025A1667
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 4x nop then jmp 025A21B6h 9_2_025A16E2
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 4x nop then jmp 07D121B6h 15_2_07D116E2
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 4x nop then jmp 07D121B6h 15_2_07D11667
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 4x nop then jmp 00F20C86h 19_2_00F201B2
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 4x nop then jmp 00F20C86h 19_2_00F20137

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49713 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49713 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49710 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49710 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49707 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49707 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49729 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49729 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49760 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49760 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2046909 - Severity 1 - ET MALWARE NanoCore RAT Keepalive Response 1 : 66.63.187.113:1664 -> 192.168.2.5:49760
Source: Network traffic Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49794 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2816718 - Severity 1 - ETPRO MALWARE NanoCore RAT Keep-Alive Beacon : 192.168.2.5:49794 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49794 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49827 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49827 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49862 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49862 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49896 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49896 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49931 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49931 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2046914 - Severity 1 - ET MALWARE NanoCore RAT CnC 7 : 192.168.2.5:49988 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2822326 - Severity 1 - ETPRO MALWARE NanoCore RAT CnC 19 : 192.168.2.5:49988 -> 66.63.187.113:1664
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 66.63.187.113
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49707 -> 66.63.187.113:1664
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49713 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49710 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49729 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49707 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49760 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49794 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49827 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49862 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49896 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49931 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49988 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49993 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49962 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49996 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49994 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2025019 - Severity 1 - ET MALWARE Possible NanoCore C2 60B : 192.168.2.5:49995 -> 66.63.187.113:1664
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.5:49711
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.5:49907
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: unknown TCP traffic detected without corresponding DNS query: 66.63.187.113
Source: nD2ozRD7MN.exe, 00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://google.com
Source: nD2ozRD7MN.exe, 00000000.00000002.2015700428.0000000003194000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000009.00000002.2059154791.0000000002889000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 0000000F.00000002.2086828450.0000000003457000.00000004.00000800.00020000.00000000.sdmp, dnshost.exe, 00000013.00000002.2155168860.0000000002949000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.25.dr String found in binary or memory: http://upx.sf.net
Installs a raw input device (often for capturing keystrokes)
Source: nD2ozRD7MN.exe, 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: RegisterRawInputDevices memstr_73b37347-f

E-Banking Fraud
barindex
Yara detected Nanocore RAT
Source: Yara match File source: 5.2.nD2ozRD7MN.exe.5cd0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.nD2ozRD7MN.exe.3c84c45.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.nD2ozRD7MN.exe.3c8061c.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nD2ozRD7MN.exe.5cd0000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nD2ozRD7MN.exe.5cd4629.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.nD2ozRD7MN.exe.3c8061c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2136851578.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3543198585.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: nD2ozRD7MN.exe PID: 1892, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nD2ozRD7MN.exe PID: 5016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nD2ozRD7MN.exe PID: 7288, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nD2ozRD7MN.exe PID: 7456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dnshost.exe PID: 7800, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.nD2ozRD7MN.exe.474e28e.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.474e28e.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.474e28e.7.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.7880000.20.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.7880000.20.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.7880000.20.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.7870000.19.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.7870000.19.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.7870000.19.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.78a0000.22.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.78a0000.22.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.78a0000.22.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.78c0000.23.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.78c0000.23.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.78c0000.23.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.76e0000.16.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.76e0000.16.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.76e0000.16.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.7930000.28.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.7930000.28.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.7930000.28.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.5cd0000.13.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.5cd0000.13.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.5cd0000.13.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.7904c9f.25.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.nD2ozRD7MN.exe.7904c9f.25.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.7904c9f.25.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.78a0000.22.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.78a0000.22.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.78a0000.22.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.7900000.27.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.7900000.27.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.7900000.27.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.7860000.18.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.7860000.18.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.7860000.18.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.nD2ozRD7MN.exe.3c84c45.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.nD2ozRD7MN.exe.3c84c45.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.nD2ozRD7MN.exe.3c84c45.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.7890000.21.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.7890000.21.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.7890000.21.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.nD2ozRD7MN.exe.3c8061c.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.nD2ozRD7MN.exe.3c8061c.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.nD2ozRD7MN.exe.3c8061c.3.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.473fe5e.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.473fe5e.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.473fe5e.4.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.45e9ad7.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.45e9ad7.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.45e9ad7.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.78c0000.23.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.78c0000.23.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.78c0000.23.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.nD2ozRD7MN.exe.2c9a258.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.nD2ozRD7MN.exe.2c9a258.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.nD2ozRD7MN.exe.2c9a258.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.76d0000.15.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.76d0000.15.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.76d0000.15.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.7880000.20.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.7880000.20.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.7880000.20.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.5cd0000.13.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.nD2ozRD7MN.exe.5cd0000.13.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.5cd0000.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.7850000.17.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.7850000.17.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.7850000.17.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.474e28e.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.474e28e.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.474e28e.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 17.2.dnshost.exe.2dfa2d4.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 17.2.dnshost.exe.2dfa2d4.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 17.2.dnshost.exe.2dfa2d4.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.7930000.28.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.7930000.28.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.7930000.28.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.45e4e38.10.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.45e4e38.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.45e4e38.10.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.76d0000.15.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.473702f.9.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.473702f.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.76d0000.15.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.76d0000.15.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.473702f.9.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.78f0000.24.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.78f0000.24.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.78f0000.24.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.5ab0000.11.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.5ab0000.11.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.5ab0000.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.5cd4629.12.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.5cd4629.12.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.5cd4629.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.78f0000.24.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.78f0000.24.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.78f0000.24.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.7860000.18.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.7860000.18.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.7860000.18.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.7900000.27.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.7900000.27.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.7900000.27.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.790e8a4.26.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.7890000.21.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.790e8a4.26.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.790e8a4.26.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.7890000.21.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.7890000.21.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.76e0000.16.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.76e0000.16.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.76e0000.16.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.45e4e38.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.45e4e38.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.45e4e38.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.473fe5e.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.3456430.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.33dd044.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.33dd044.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.33dd044.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.473fe5e.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.3456430.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.nD2ozRD7MN.exe.3456430.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.3456430.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.nD2ozRD7MN.exe.3c8061c.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.473fe5e.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.45f36dc.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.473702f.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.45f36dc.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.45f36dc.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.473702f.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.nD2ozRD7MN.exe.473702f.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.nD2ozRD7MN.exe.3c8061c.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.nD2ozRD7MN.exe.3c8061c.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.2.nD2ozRD7MN.exe.473702f.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.3557822095.0000000007860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3557822095.0000000007860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3557822095.0000000007860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.3558552439.00000000078F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3558552439.00000000078F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3558552439.00000000078F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.3557377899.00000000076D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3557377899.00000000076D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3557377899.00000000076D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.3549495564.00000000045E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.3558267406.00000000078C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3558267406.00000000078C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3558267406.00000000078C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.3558638769.0000000007900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3558638769.0000000007900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3558638769.0000000007900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.3558861975.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3558861975.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3558861975.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.3553602529.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3553602529.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3553602529.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects NanoCore Author: ditekSHen
Source: 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.3557457551.00000000076E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3557457551.00000000076E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.3557457551.00000000076E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.2136851578.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000011.00000002.2136851578.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.3543198585.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: nD2ozRD7MN.exe PID: 1892, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: nD2ozRD7MN.exe PID: 1892, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: nD2ozRD7MN.exe PID: 1892, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: nD2ozRD7MN.exe PID: 1892, type: MEMORYSTR Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: nD2ozRD7MN.exe PID: 5016, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: nD2ozRD7MN.exe PID: 5016, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: nD2ozRD7MN.exe PID: 5016, type: MEMORYSTR Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7288, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7288, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7288, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7288, type: MEMORYSTR Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7456, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7456, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7456, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7456, type: MEMORYSTR Matched rule: detect Nanocore in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: dnshost.exe PID: 7800, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: dnshost.exe PID: 7800, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Detected potential crypto function
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_013F3E34 0_2_013F3E34
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_013FE04C 0_2_013FE04C
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_013F703A 0_2_013F703A
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_0553E7F0 0_2_0553E7F0
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_055327A8 0_2_055327A8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_05532798 0_2_05532798
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_0553CE30 0_2_0553CE30
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_0553CE20 0_2_0553CE20
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_0741AEF8 0_2_0741AEF8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_074121B0 0_2_074121B0
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_0741B6B8 0_2_0741B6B8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_074123F0 0_2_074123F0
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_074E2348 0_2_074E2348
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_074E1078 0_2_074E1078
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_074E5602 0_2_074E5602
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_074E4600 0_2_074E4600
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_074E5610 0_2_074E5610
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_074ED428 0_2_074ED428
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_074E2338 0_2_074E2338
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_074EE138 0_2_074EE138
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_074EC188 0_2_074EC188
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_074E1069 0_2_074E1069
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_074EBD38 0_2_074EBD38
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_074EDCEF 0_2_074EDCEF
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_074E580F 0_2_074E580F
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_074E5897 0_2_074E5897
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_074E58A8 0_2_074E58A8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_07F32106 0_2_07F32106
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_07F3CD54 0_2_07F3CD54
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_07F36CE8 0_2_07F36CE8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_07F36CD8 0_2_07F36CD8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_07F32C38 0_2_07F32C38
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_07F38C00 0_2_07F38C00
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_082B3030 0_2_082B3030
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_082B05B8 0_2_082B05B8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 5_2_019BD344 5_2_019BD344
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 5_2_078EA7E0 5_2_078EA7E0
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 5_2_078E44F0 5_2_078E44F0
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 5_2_078E2FF8 5_2_078E2FF8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 5_2_078E9F10 5_2_078E9F10
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 5_2_078EACD1 5_2_078EACD1
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 5_2_078E3C10 5_2_078E3C10
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 5_2_078E5C30 5_2_078E5C30
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 5_2_078E6848 5_2_078E6848
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 5_2_078E3CCE 5_2_078E3CCE
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 5_2_078E9BC8 5_2_078E9BC8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 5_2_078E6906 5_2_078E6906
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_009F3E34 9_2_009F3E34
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_009FE04C 9_2_009FE04C
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_025A2F00 9_2_025A2F00
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_025A05B8 9_2_025A05B8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_0596AEF8 9_2_0596AEF8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_059621B0 9_2_059621B0
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_0596B6B8 9_2_0596B6B8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_059623F0 9_2_059623F0
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_059B1078 9_2_059B1078
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_059B2348 9_2_059B2348
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_059BD428 9_2_059BD428
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_059B5610 9_2_059B5610
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_059B5602 9_2_059B5602
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_059B4600 9_2_059B4600
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_059BC188 9_2_059BC188
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_059BE128 9_2_059BE128
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_059BC179 9_2_059BC179
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_059B1069 9_2_059B1069
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_059B2338 9_2_059B2338
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_059BBD38 9_2_059BBD38
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_059BDCEF 9_2_059BDCEF
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_059B5897 9_2_059B5897
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_059B58A8 9_2_059B58A8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_072E2106 9_2_072E2106
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_072ECD54 9_2_072ECD54
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_072E6CE8 9_2_072E6CE8
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_072E2C38 9_2_072E2C38
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_072E8C00 9_2_072E8C00
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 12_2_011BD344 12_2_011BD344
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_016E3E34 15_2_016E3E34
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_016EE04C 15_2_016EE04C
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_016E7040 15_2_016E7040
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_030B0120 15_2_030B0120
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_030B0130 15_2_030B0130
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_073521B0 15_2_073521B0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_0735AEF8 15_2_0735AEF8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_0735B6B8 15_2_0735B6B8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_073523F0 15_2_073523F0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_07372338 15_2_07372338
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_07371069 15_2_07371069
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_07375610 15_2_07375610
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_07375602 15_2_07375602
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_073745F0 15_2_073745F0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_0737D428 15_2_0737D428
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_0737E128 15_2_0737E128
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_0737C179 15_2_0737C179
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_0737C188 15_2_0737C188
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_0737BD38 15_2_0737BD38
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_0737DCEF 15_2_0737DCEF
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_07375858 15_2_07375858
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_073758A8 15_2_073758A8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_07375897 15_2_07375897
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_073EE7E0 15_2_073EE7E0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_073E2106 15_2_073E2106
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_073E6CE8 15_2_073E6CE8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_073E2C38 15_2_073E2C38
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_073E8C00 15_2_073E8C00
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_07D105B8 15_2_07D105B8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_07D13030 15_2_07D13030
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 17_2_0130D344 17_2_0130D344
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_00E93E34 19_2_00E93E34
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_00E9E04C 19_2_00E9E04C
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_00E9703A 19_2_00E9703A
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_00F21BC8 19_2_00F21BC8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_00F22D60 19_2_00F22D60
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_06BCAEF8 19_2_06BCAEF8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_06BC21B0 19_2_06BC21B0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_06BCB6B8 19_2_06BCB6B8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_06BC7289 19_2_06BC7289
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_06BC7210 19_2_06BC7210
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_06BC23F0 19_2_06BC23F0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_06BE2338 19_2_06BE2338
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_06BE1069 19_2_06BE1069
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_06BE5610 19_2_06BE5610
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_06BE5602 19_2_06BE5602
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_06BED428 19_2_06BED428
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_06BE45F0 19_2_06BE45F0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_06BEC188 19_2_06BEC188
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_06BEE138 19_2_06BEE138
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_06BEBD38 19_2_06BEBD38
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_06BEDD00 19_2_06BEDD00
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_06BE58A8 19_2_06BE58A8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_06BE5897 19_2_06BE5897
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_06BF2106 19_2_06BF2106
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_06BF6CE8 19_2_06BF6CE8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_06BFCD54 19_2_06BFCD54
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_06BF6CD8 19_2_06BF6CD8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_06BF2C38 19_2_06BF2C38
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_06BF8C00 19_2_06BF8C00
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_070427A8 19_2_070427A8
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_0704E7F0 19_2_0704E7F0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_07042798 19_2_07042798
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_0704CE20 19_2_0704CE20
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_0704CE30 19_2_0704CE30
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 20_2_02ECD344 20_2_02ECD344
One or more processes crash
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1960
Sample file is different than original file name gathered from version info
Source: nD2ozRD7MN.exe, 00000000.00000002.2037006043.0000000007EA0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000000.00000000.1999328550.0000000000B2E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameUFVz.exe6 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000000.00000002.2013527422.000000000117E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3557822095.0000000007860000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3558552439.00000000078F8000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3536908593.00000000015E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000045E4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000045E4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000045E4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNAudio.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000045E4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3557377899.00000000076D0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3554404587.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3558638769.0000000007900000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3558638769.0000000007900000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameNAudio.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3558638769.0000000007928000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3558861975.000000000793E000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3553602529.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.0000000004431000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNAudio.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3558267406.00000000078CE000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000033B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3557457551.00000000076E0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046D0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000009.00000002.2062497793.0000000004305000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 00000009.00000002.2062497793.000000000437A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe, 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs nD2ozRD7MN.exe
Source: nD2ozRD7MN.exe Binary or memory string: OriginalFilenameUFVz.exe6 vs nD2ozRD7MN.exe
Uses 32bit PE files
Source: nD2ozRD7MN.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 5.2.nD2ozRD7MN.exe.474e28e.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.474e28e.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.474e28e.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.7880000.20.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.7880000.20.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.7880000.20.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.7870000.19.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.7870000.19.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.7870000.19.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.78a0000.22.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.78a0000.22.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.78a0000.22.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.78c0000.23.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.78c0000.23.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.78c0000.23.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.76e0000.16.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.76e0000.16.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.76e0000.16.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.7930000.28.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.7930000.28.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.7930000.28.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.5cd0000.13.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.5cd0000.13.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.5cd0000.13.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.7904c9f.25.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.nD2ozRD7MN.exe.7904c9f.25.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.7904c9f.25.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.78a0000.22.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.78a0000.22.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.78a0000.22.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.7900000.27.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.7900000.27.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.7900000.27.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.7860000.18.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.7860000.18.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.7860000.18.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.nD2ozRD7MN.exe.3c84c45.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.nD2ozRD7MN.exe.3c84c45.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.nD2ozRD7MN.exe.3c84c45.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.7890000.21.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.7890000.21.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.7890000.21.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.nD2ozRD7MN.exe.3c8061c.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.nD2ozRD7MN.exe.3c8061c.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.nD2ozRD7MN.exe.3c8061c.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.473fe5e.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.473fe5e.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.473fe5e.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.45e9ad7.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.45e9ad7.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.45e9ad7.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.78c0000.23.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.78c0000.23.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.78c0000.23.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.nD2ozRD7MN.exe.2c9a258.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.nD2ozRD7MN.exe.2c9a258.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.nD2ozRD7MN.exe.2c9a258.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.76d0000.15.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.76d0000.15.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.76d0000.15.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.7880000.20.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.7880000.20.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.7880000.20.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.5cd0000.13.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.nD2ozRD7MN.exe.5cd0000.13.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.5cd0000.13.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.7850000.17.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.7850000.17.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.7850000.17.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.474e28e.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.474e28e.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.474e28e.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 17.2.dnshost.exe.2dfa2d4.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 17.2.dnshost.exe.2dfa2d4.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 17.2.dnshost.exe.2dfa2d4.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.7930000.28.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.7930000.28.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.7930000.28.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.45e4e38.10.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.45e4e38.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.45e4e38.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.76d0000.15.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.473702f.9.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.473702f.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.76d0000.15.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.76d0000.15.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.473702f.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.78f0000.24.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.78f0000.24.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.78f0000.24.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.5ab0000.11.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.5ab0000.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.5ab0000.11.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.5cd4629.12.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.5cd4629.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.5cd4629.12.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.78f0000.24.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.78f0000.24.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.78f0000.24.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.7860000.18.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.7860000.18.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.7860000.18.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.7900000.27.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.7900000.27.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.7900000.27.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.790e8a4.26.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.7890000.21.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.790e8a4.26.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.790e8a4.26.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.7890000.21.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.7890000.21.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.76e0000.16.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.76e0000.16.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.76e0000.16.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.45e4e38.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.45e4e38.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.45e4e38.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.473fe5e.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.3456430.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.3435bc4.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.33dd044.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.33dd044.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.33dd044.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.473fe5e.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.3456430.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.nD2ozRD7MN.exe.3456430.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.3456430.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.nD2ozRD7MN.exe.3c8061c.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.473fe5e.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.45f36dc.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.473702f.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.45f36dc.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.45f36dc.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.473702f.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.nD2ozRD7MN.exe.473702f.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.nD2ozRD7MN.exe.3c8061c.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.nD2ozRD7MN.exe.3c8061c.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.2.nD2ozRD7MN.exe.473702f.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.nD2ozRD7MN.exe.3441e00.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.3557822095.0000000007860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3557822095.0000000007860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3557822095.0000000007860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.3558552439.00000000078F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3558552439.00000000078F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3558552439.00000000078F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.3557377899.00000000076D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3557377899.00000000076D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3557377899.00000000076D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.3549495564.00000000045E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.3558267406.00000000078C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3558267406.00000000078C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3558267406.00000000078C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.3558638769.0000000007900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3558638769.0000000007900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3558638769.0000000007900000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.3558861975.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3558861975.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3558861975.0000000007930000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.3553602529.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3553602529.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3553602529.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.3557457551.00000000076E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3557457551.00000000076E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.3557457551.00000000076E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000011.00000002.2136851578.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000011.00000002.2136851578.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.3543198585.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: nD2ozRD7MN.exe PID: 1892, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: nD2ozRD7MN.exe PID: 1892, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: nD2ozRD7MN.exe PID: 1892, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: nD2ozRD7MN.exe PID: 1892, type: MEMORYSTR Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: nD2ozRD7MN.exe PID: 5016, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: nD2ozRD7MN.exe PID: 5016, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: nD2ozRD7MN.exe PID: 5016, type: MEMORYSTR Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7288, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7288, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7288, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7288, type: MEMORYSTR Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7456, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7456, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7456, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: nD2ozRD7MN.exe PID: 7456, type: MEMORYSTR Matched rule: Nanocore author = JPCERT/CC Incident Response Group, description = detect Nanocore in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: dnshost.exe PID: 7800, type: MEMORYSTR Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: dnshost.exe PID: 7800, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: nD2ozRD7MN.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dnshost.exe.5.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, --qVxXNKnhAcArgJoGGYXiyyQ--.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, --qVxXNKnhAcArgJoGGYXiyyQ--.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, --qVxXNKnhAcArgJoGGYXiyyQ--.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, --qVxXNKnhAcArgJoGGYXiyyQ--.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, Xkj9BfuZTQp0G2lgKt.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, Xkj9BfuZTQp0G2lgKt.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, hZt63p0jP4sfuIZbVJ.cs Security API names: _0020.SetAccessControl
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, hZt63p0jP4sfuIZbVJ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, hZt63p0jP4sfuIZbVJ.cs Security API names: _0020.AddAccessRule
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, Xkj9BfuZTQp0G2lgKt.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, hZt63p0jP4sfuIZbVJ.cs Security API names: _0020.SetAccessControl
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, hZt63p0jP4sfuIZbVJ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, hZt63p0jP4sfuIZbVJ.cs Security API names: _0020.AddAccessRule
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, hZt63p0jP4sfuIZbVJ.cs Security API names: _0020.SetAccessControl
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, hZt63p0jP4sfuIZbVJ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, hZt63p0jP4sfuIZbVJ.cs Security API names: _0020.AddAccessRule
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.evad.winEXE@29/29@0/1
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe File created: C:\Program Files (x86)\DNS Host Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nD2ozRD7MN.exe.log Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6628:120:WilError_03
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{a376f716-2f77-4943-a431-3a3bcb53b7c0}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7296:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7236:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5016
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dmfjbfr1.d2r.ps1 Jump to behavior
Source: nD2ozRD7MN.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: nD2ozRD7MN.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: nD2ozRD7MN.exe, 00000000.00000000.1999252645.0000000000A72000.00000002.00000001.01000000.00000003.sdmp, dnshost.exe.5.dr Binary or memory string: INSERT INTO Service (CustomerId, Active, Date) VALUES (@customerId, '1', @date);
Source: nD2ozRD7MN.exe, 00000000.00000000.1999252645.0000000000A72000.00000002.00000001.01000000.00000003.sdmp, dnshost.exe.5.dr Binary or memory string: SELECT COUNT(*) FROM Service WHERE (Active LIKE '1') AND (CustomerId = @id);
Source: nD2ozRD7MN.exe ReversingLabs: Detection: 50%
Source: nD2ozRD7MN.exe Virustotal: Detection: 38%
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe File read: C:\Users\user\Desktop\nD2ozRD7MN.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\nD2ozRD7MN.exe "C:\Users\user\Desktop\nD2ozRD7MN.exe"
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process created: C:\Users\user\Desktop\nD2ozRD7MN.exe "C:\Users\user\Desktop\nD2ozRD7MN.exe"
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpC5F1.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host Task" /xml "C:\Users\user\AppData\Local\Temp\tmpC8C1.tmp"
Source: unknown Process created: C:\Users\user\Desktop\nD2ozRD7MN.exe C:\Users\user\Desktop\nD2ozRD7MN.exe 0
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe"
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process created: C:\Users\user\Desktop\nD2ozRD7MN.exe "C:\Users\user\Desktop\nD2ozRD7MN.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe" 0
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1960
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe" Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process created: C:\Users\user\Desktop\nD2ozRD7MN.exe "C:\Users\user\Desktop\nD2ozRD7MN.exe" Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpC5F1.tmp" Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host Task" /xml "C:\Users\user\AppData\Local\Temp\tmpC8C1.tmp" Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe" Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process created: C:\Users\user\Desktop\nD2ozRD7MN.exe "C:\Users\user\Desktop\nD2ozRD7MN.exe" Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: apphelp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: version.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: dwrite.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: amsi.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: userenv.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: gpapi.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: textshaping.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: iconcodecservice.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: propsys.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: edputil.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: urlmon.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: iertutil.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: srvcli.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: netutils.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: wintypes.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: appresolver.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: slc.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: sppc.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: version.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: version.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: dwrite.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: windowscodecs.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: amsi.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: userenv.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: gpapi.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: textshaping.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: iconcodecservice.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: version.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: nD2ozRD7MN.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: nD2ozRD7MN.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: System.Xml.ni.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: MyClientPlugin.pdblt source: WER3715.tmp.dmp.25.dr
Source: Binary string: NanoCoreStressTester.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: Accessibility.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: FileBrowserClient.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.ni.pdbRSDS source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.Management.pdbu source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.Configuration.ni.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.Configuration.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: nD2ozRD7MN.exe, 00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: nD2ozRD7MN.exe, 00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: Accessibility.pdbP source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.Core.ni.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.Configuration.pdbt^ source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.Windows.Forms.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: mscorlib.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: NanoCoreStressTester.pdbxX source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.Drawing.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.Management.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: mscorlib.ni.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.Management.ni.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: nD2ozRD7MN.exe, 00000005.00000002.3557822095.0000000007860000.00000004.08000000.00040000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: MyClientPluginNew.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: MyClientPlugin.pdbL0 source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER3715.tmp.dmp.25.dr
Source: Binary string: MyClientPlugin.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.ni.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: NanoCoreBase.pdb source: WER3715.tmp.dmp.25.dr
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: nD2ozRD7MN.exe, 00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.pdby source: WER3715.tmp.dmp.25.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER3715.tmp.dmp.25.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, hZt63p0jP4sfuIZbVJ.cs .Net Code: AQvIhqP4VfSN9dCMQSe System.Reflection.Assembly.Load(byte[])
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, hZt63p0jP4sfuIZbVJ.cs .Net Code: AQvIhqP4VfSN9dCMQSe System.Reflection.Assembly.Load(byte[])
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs .Net Code: _0023_003Dqf3c4WtE_0024_0024thN5QyBMvo3u0lth2VF5hmfUsIv1r8yRkg_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs .Net Code: _0023_003Dq_FL69pQf17BUSAFbWYu1SStMAbdu_0024R1GJ8VY8UL5_EA_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, --qxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecU-.cs .Net Code: _0023_003DqKU0J1fiP8KA33eFK1owekQ_003D_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs .Net Code: _0023_003Dqf3c4WtE_0024_0024thN5QyBMvo3u0lth2VF5hmfUsIv1r8yRkg_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, --qjIje6jGWLd2EOkfZXKqBbg--.cs .Net Code: _0023_003Dq_FL69pQf17BUSAFbWYu1SStMAbdu_0024R1GJ8VY8UL5_EA_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, --qxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecU-.cs .Net Code: _0023_003DqKU0J1fiP8KA33eFK1owekQ_003D_003D System.Reflection.Assembly.Load(byte[])
Source: 0.2.nD2ozRD7MN.exe.73f0000.4.raw.unpack, XlF5VlCIHRSQX8M5eh.cs .Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, hZt63p0jP4sfuIZbVJ.cs .Net Code: AQvIhqP4VfSN9dCMQSe System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_0741E809 pushad ; retn 0598h 0_2_0741E871
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 0_2_07F34910 push eax; ret 0_2_07F3491D
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_025A0CF7 push edi; iretd 9_2_025A0D16
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 9_2_059BFC17 push esp; retf 9_2_059BFC25
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 15_2_07D12F58 push esp; retf 15_2_07D12F65
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_00F210BF push esp; retf 19_2_00F210CD
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Code function: 19_2_06BC0882 push es; ret 19_2_06BC0890
Source: nD2ozRD7MN.exe Static PE information: section name: .text entropy: 7.690214537258505
Source: dnshost.exe.5.dr Static PE information: section name: .text entropy: 7.690214537258505
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, maxN2I2ang3jEH757O.cs High entropy of concatenated method names: 'mTrdhBXpF4', 'Uf1dvMak23', 'vSidtOatJ0', 'p4wdqBNnLO', 'NpYdmQUreU', 'rnJdS3B1XV', 'ECmdN2GKAF', 'tVGdPYOqyU', 'GnxdOqAGuD', 'PDadbpgCog'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, US6vhyXc0YwLr8UnSM.cs High entropy of concatenated method names: 'lnp168VhyI', 'bcW1Xo6rwu', 'VS58Vv8QdM', 'h3g8QqWoIm', 'E6B1l0CCAg', 'BoY1oLmnBt', 'olG1KMBD8W', 'Ly41gXEbJT', 'hA21Io9X9j', 'yAB1B7MsXE'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, mNWvBxQb6b2JvYkMbX.cs High entropy of concatenated method names: 'DV20yi0xth', 'E9T0WIesWi', 'yog0r4cdNd', 'W0j0dK2Hdo', 'mKh0fnd4Yo', 'Aqfrsio5UX', 'hZprkRKOyx', 'oB8rMduVlA', 'Kndr6AOlpA', 'yT3reir19m'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, hmnpKV4OT08QcYcFDi.cs High entropy of concatenated method names: 'HLQtKEkRF', 'TyXqIZNwB', 'sEMSF6VNy', 'N3jNNHPox', 'pGmOQrRUl', 'oAEb2I0Fj', 'JCS7LUFGC0ZJcIlWaJ', 'EZig26MErNEjwa1SZA', 'qai8Ql0DG', 'CQDujU20t'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, sejACtzgJPd1hCmShE.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NhtRYFd9VG', 'NlwRZhLeHR', 'loRRAb3pZf', 'IeuR1qwA86', 'mXIR8NWT4e', 'hbBRRLbiBb', 'iUpRukC26G'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, hZt63p0jP4sfuIZbVJ.cs High entropy of concatenated method names: 'fAGcyHnxI3', 'N1jc39OgqO', 'RNvcWAgfcK', 'eLscHe7ytG', 'VhmcrqByje', 'D3Uc0ryRTY', 'QDWcdHKVHK', 'QnZcfYsJ6U', 'OJ3cxuBwS6', 'q5DcjoVvw4'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, FLL3g3KMc42c7pyt7wv.cs High entropy of concatenated method names: 'ibmRhjRH6d', 'epURvn2DOn', 'thaRt8i0Nj', 'Vu6Rqa8RoE', 'AbRRmDwWRX', 'jn9RSqHr8g', 'q2mRNLX0e9', 'RfPRPcBwou', 'JovROEmaCT', 'KtKRby28k8'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, VID7nldnwpTNG5dFHK.cs High entropy of concatenated method names: 'IFwrmTseM1', 'JYfrNtoJoL', 'mBgHCoMRBq', 'xx1H9rpKwO', 'LIPH7i06GC', 'NeAHpTqRIP', 'kntHLLZ79v', 'di0HUhDIcZ', 'bFjHiyhc2u', 'sT8HnDGMlR'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, GedG3oFM6w0mMFgBOg.cs High entropy of concatenated method names: 'OMGZnAP8mE', 'sbbZoDBbe4', 'Fi3ZgBHMst', 'IWOZInCVXF', 'H2BZaxwwJ2', 'VJkZCs8sJB', 'cERZ9pWVDw', 'rXMZ77ETtu', 'f3cZpVZL18', 'blcZLXA4vQ'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, t5HF8XtGmyEDuidHJ0.cs High entropy of concatenated method names: 'qySYP6I632', 'DevYOOeCf6', 'YveY21qSxF', 'cY1YaoDXd7', 'xMAY9dNc5Z', 'CJ6Y7ry5KK', 'Gj4YL1vdLq', 'iabYUi2U5b', 'r4jYnTmlsQ', 'U51YlixjCl'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, CY9TxsrJ04L7H3BEfv.cs High entropy of concatenated method names: 'kYhd3e1NQg', 'p9tdHSLcEM', 'AYud0v1hLV', 'lpa0X6y3qy', 'mCh0zFHDQE', 'heVdVlVabA', 'w4WdQWp8HX', 'uJ8dEBmyB4', 'MaFdcHK6AI', 'J6GdwlN0gS'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, Xkj9BfuZTQp0G2lgKt.cs High entropy of concatenated method names: 'MhtWgr1cYr', 'rI1WIbktqR', 'LDJWB40vc5', 'b5fWTq5Ymc', 'wCLWslRjuw', 'xKwWkNt5w9', 'rGHWMorWLc', 'TnDW667AAb', 'y8VWeXjtRA', 'dgVWXufZKv'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, CHyvnWHAn70aLa7jWH.cs High entropy of concatenated method names: 'p5jRQ32Mxg', 'GgKRcpscwp', 'ubmRwdVl3G', 'RecR35tAil', 'o3JRWUpe2f', 'VhhRr03CjE', 'JFyR09v6eK', 'RpY8ME4Kky', 'kdH864oVPA', 'wKN8eogT9p'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, kRNAcJvVOeSRFgFQ6J.cs High entropy of concatenated method names: 'ToString', 'F0gAlAcxul', 'BWuAadNFtb', 'z4PACfa1jE', 'vIWA9ldnXq', 'OFDA78MKwZ', 'JAIAp3u0K7', 'K7NALjRZdx', 'KVTAUCJrqI', 'RroAiTWPcH'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, Y71HWoq8alU03bopHX.cs High entropy of concatenated method names: 'Hbs830Uyo2', 'eps8WKnsAI', 'gjj8Hp41pL', 'PuQ8rA2I1h', 'KYp80rRLeO', 'Uer8dR9ndy', 'xL88f7DlSJ', 'rOC8xxkmZj', 'Dxq8jU8Te9', 'X708FMhBRZ'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, GPreDaRCfFsC4saotE.cs High entropy of concatenated method names: 'O7O82kNxOU', 'knJ8aiQnmB', 'jZo8C38Vl7', 'qtK895ktY3', 'wKd8geoEgs', 'mn2878CvQk', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, fykWaJN4YqARddZSYT.cs High entropy of concatenated method names: 'RSGQdN6Aii', 'eBPQfnCA7q', 'E92Qjld9wR', 'QbNQFZKCNK', 'zZ7QZcyNfw', 'KWnQAol8wJ', 'EIdZZyAqXCl8JVkrF1', 'oHaa00ax5nc60rNfT4', 'xaQQQNdMlv', 'RauQcg3RJf'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, vb78FfKwGRxSVQKyGV5.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i6Vugi9GFh', 'TKsuIWiolU', 'DS9uBD69FY', 'om0uT9iCrB', 'sqtus3BkW7', 'FONukN9CW8', 'dZZuMgkZve'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, gjKo6oOIHk6yJCaogO.cs High entropy of concatenated method names: 'Dispose', 'CnJQemUAM1', 'M3dEaJg5f6', 'CLpJJBkt3J', 'gKyQXPBEAk', 'icwQzfUg7R', 'ProcessDialogKey', 'iAOEVS1iMT', 'MQdEQaVB6k', 'lunEEHxh4l'
Source: 0.2.nD2ozRD7MN.exe.7ea0000.5.raw.unpack, v23u6iYSQ5Vfhhyo6Y.cs High entropy of concatenated method names: 'u6QHqnYCjW', 'SVpHSHLtGB', 'NnhHPFW3iE', 'e2MHOC3YlT', 'NauHZwdBpL', 'rFYHAlBq4p', 'iGRH1TaI3D', 'Jq3H8jeAwu', 'C8ZHRXNDTY', 'BrkHuWTDyJ'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, maxN2I2ang3jEH757O.cs High entropy of concatenated method names: 'mTrdhBXpF4', 'Uf1dvMak23', 'vSidtOatJ0', 'p4wdqBNnLO', 'NpYdmQUreU', 'rnJdS3B1XV', 'ECmdN2GKAF', 'tVGdPYOqyU', 'GnxdOqAGuD', 'PDadbpgCog'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, US6vhyXc0YwLr8UnSM.cs High entropy of concatenated method names: 'lnp168VhyI', 'bcW1Xo6rwu', 'VS58Vv8QdM', 'h3g8QqWoIm', 'E6B1l0CCAg', 'BoY1oLmnBt', 'olG1KMBD8W', 'Ly41gXEbJT', 'hA21Io9X9j', 'yAB1B7MsXE'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, mNWvBxQb6b2JvYkMbX.cs High entropy of concatenated method names: 'DV20yi0xth', 'E9T0WIesWi', 'yog0r4cdNd', 'W0j0dK2Hdo', 'mKh0fnd4Yo', 'Aqfrsio5UX', 'hZprkRKOyx', 'oB8rMduVlA', 'Kndr6AOlpA', 'yT3reir19m'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, hmnpKV4OT08QcYcFDi.cs High entropy of concatenated method names: 'HLQtKEkRF', 'TyXqIZNwB', 'sEMSF6VNy', 'N3jNNHPox', 'pGmOQrRUl', 'oAEb2I0Fj', 'JCS7LUFGC0ZJcIlWaJ', 'EZig26MErNEjwa1SZA', 'qai8Ql0DG', 'CQDujU20t'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, sejACtzgJPd1hCmShE.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NhtRYFd9VG', 'NlwRZhLeHR', 'loRRAb3pZf', 'IeuR1qwA86', 'mXIR8NWT4e', 'hbBRRLbiBb', 'iUpRukC26G'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, hZt63p0jP4sfuIZbVJ.cs High entropy of concatenated method names: 'fAGcyHnxI3', 'N1jc39OgqO', 'RNvcWAgfcK', 'eLscHe7ytG', 'VhmcrqByje', 'D3Uc0ryRTY', 'QDWcdHKVHK', 'QnZcfYsJ6U', 'OJ3cxuBwS6', 'q5DcjoVvw4'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, FLL3g3KMc42c7pyt7wv.cs High entropy of concatenated method names: 'ibmRhjRH6d', 'epURvn2DOn', 'thaRt8i0Nj', 'Vu6Rqa8RoE', 'AbRRmDwWRX', 'jn9RSqHr8g', 'q2mRNLX0e9', 'RfPRPcBwou', 'JovROEmaCT', 'KtKRby28k8'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, VID7nldnwpTNG5dFHK.cs High entropy of concatenated method names: 'IFwrmTseM1', 'JYfrNtoJoL', 'mBgHCoMRBq', 'xx1H9rpKwO', 'LIPH7i06GC', 'NeAHpTqRIP', 'kntHLLZ79v', 'di0HUhDIcZ', 'bFjHiyhc2u', 'sT8HnDGMlR'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, GedG3oFM6w0mMFgBOg.cs High entropy of concatenated method names: 'OMGZnAP8mE', 'sbbZoDBbe4', 'Fi3ZgBHMst', 'IWOZInCVXF', 'H2BZaxwwJ2', 'VJkZCs8sJB', 'cERZ9pWVDw', 'rXMZ77ETtu', 'f3cZpVZL18', 'blcZLXA4vQ'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, t5HF8XtGmyEDuidHJ0.cs High entropy of concatenated method names: 'qySYP6I632', 'DevYOOeCf6', 'YveY21qSxF', 'cY1YaoDXd7', 'xMAY9dNc5Z', 'CJ6Y7ry5KK', 'Gj4YL1vdLq', 'iabYUi2U5b', 'r4jYnTmlsQ', 'U51YlixjCl'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, CY9TxsrJ04L7H3BEfv.cs High entropy of concatenated method names: 'kYhd3e1NQg', 'p9tdHSLcEM', 'AYud0v1hLV', 'lpa0X6y3qy', 'mCh0zFHDQE', 'heVdVlVabA', 'w4WdQWp8HX', 'uJ8dEBmyB4', 'MaFdcHK6AI', 'J6GdwlN0gS'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, Xkj9BfuZTQp0G2lgKt.cs High entropy of concatenated method names: 'MhtWgr1cYr', 'rI1WIbktqR', 'LDJWB40vc5', 'b5fWTq5Ymc', 'wCLWslRjuw', 'xKwWkNt5w9', 'rGHWMorWLc', 'TnDW667AAb', 'y8VWeXjtRA', 'dgVWXufZKv'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, CHyvnWHAn70aLa7jWH.cs High entropy of concatenated method names: 'p5jRQ32Mxg', 'GgKRcpscwp', 'ubmRwdVl3G', 'RecR35tAil', 'o3JRWUpe2f', 'VhhRr03CjE', 'JFyR09v6eK', 'RpY8ME4Kky', 'kdH864oVPA', 'wKN8eogT9p'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, kRNAcJvVOeSRFgFQ6J.cs High entropy of concatenated method names: 'ToString', 'F0gAlAcxul', 'BWuAadNFtb', 'z4PACfa1jE', 'vIWA9ldnXq', 'OFDA78MKwZ', 'JAIAp3u0K7', 'K7NALjRZdx', 'KVTAUCJrqI', 'RroAiTWPcH'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, Y71HWoq8alU03bopHX.cs High entropy of concatenated method names: 'Hbs830Uyo2', 'eps8WKnsAI', 'gjj8Hp41pL', 'PuQ8rA2I1h', 'KYp80rRLeO', 'Uer8dR9ndy', 'xL88f7DlSJ', 'rOC8xxkmZj', 'Dxq8jU8Te9', 'X708FMhBRZ'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, GPreDaRCfFsC4saotE.cs High entropy of concatenated method names: 'O7O82kNxOU', 'knJ8aiQnmB', 'jZo8C38Vl7', 'qtK895ktY3', 'wKd8geoEgs', 'mn2878CvQk', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, fykWaJN4YqARddZSYT.cs High entropy of concatenated method names: 'RSGQdN6Aii', 'eBPQfnCA7q', 'E92Qjld9wR', 'QbNQFZKCNK', 'zZ7QZcyNfw', 'KWnQAol8wJ', 'EIdZZyAqXCl8JVkrF1', 'oHaa00ax5nc60rNfT4', 'xaQQQNdMlv', 'RauQcg3RJf'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, vb78FfKwGRxSVQKyGV5.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i6Vugi9GFh', 'TKsuIWiolU', 'DS9uBD69FY', 'om0uT9iCrB', 'sqtus3BkW7', 'FONukN9CW8', 'dZZuMgkZve'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, gjKo6oOIHk6yJCaogO.cs High entropy of concatenated method names: 'Dispose', 'CnJQemUAM1', 'M3dEaJg5f6', 'CLpJJBkt3J', 'gKyQXPBEAk', 'icwQzfUg7R', 'ProcessDialogKey', 'iAOEVS1iMT', 'MQdEQaVB6k', 'lunEEHxh4l'
Source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, v23u6iYSQ5Vfhhyo6Y.cs High entropy of concatenated method names: 'u6QHqnYCjW', 'SVpHSHLtGB', 'NnhHPFW3iE', 'e2MHOC3YlT', 'NauHZwdBpL', 'rFYHAlBq4p', 'iGRH1TaI3D', 'Jq3H8jeAwu', 'C8ZHRXNDTY', 'BrkHuWTDyJ'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, maxN2I2ang3jEH757O.cs High entropy of concatenated method names: 'mTrdhBXpF4', 'Uf1dvMak23', 'vSidtOatJ0', 'p4wdqBNnLO', 'NpYdmQUreU', 'rnJdS3B1XV', 'ECmdN2GKAF', 'tVGdPYOqyU', 'GnxdOqAGuD', 'PDadbpgCog'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, US6vhyXc0YwLr8UnSM.cs High entropy of concatenated method names: 'lnp168VhyI', 'bcW1Xo6rwu', 'VS58Vv8QdM', 'h3g8QqWoIm', 'E6B1l0CCAg', 'BoY1oLmnBt', 'olG1KMBD8W', 'Ly41gXEbJT', 'hA21Io9X9j', 'yAB1B7MsXE'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, mNWvBxQb6b2JvYkMbX.cs High entropy of concatenated method names: 'DV20yi0xth', 'E9T0WIesWi', 'yog0r4cdNd', 'W0j0dK2Hdo', 'mKh0fnd4Yo', 'Aqfrsio5UX', 'hZprkRKOyx', 'oB8rMduVlA', 'Kndr6AOlpA', 'yT3reir19m'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, hmnpKV4OT08QcYcFDi.cs High entropy of concatenated method names: 'HLQtKEkRF', 'TyXqIZNwB', 'sEMSF6VNy', 'N3jNNHPox', 'pGmOQrRUl', 'oAEb2I0Fj', 'JCS7LUFGC0ZJcIlWaJ', 'EZig26MErNEjwa1SZA', 'qai8Ql0DG', 'CQDujU20t'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, sejACtzgJPd1hCmShE.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NhtRYFd9VG', 'NlwRZhLeHR', 'loRRAb3pZf', 'IeuR1qwA86', 'mXIR8NWT4e', 'hbBRRLbiBb', 'iUpRukC26G'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, hZt63p0jP4sfuIZbVJ.cs High entropy of concatenated method names: 'fAGcyHnxI3', 'N1jc39OgqO', 'RNvcWAgfcK', 'eLscHe7ytG', 'VhmcrqByje', 'D3Uc0ryRTY', 'QDWcdHKVHK', 'QnZcfYsJ6U', 'OJ3cxuBwS6', 'q5DcjoVvw4'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, FLL3g3KMc42c7pyt7wv.cs High entropy of concatenated method names: 'ibmRhjRH6d', 'epURvn2DOn', 'thaRt8i0Nj', 'Vu6Rqa8RoE', 'AbRRmDwWRX', 'jn9RSqHr8g', 'q2mRNLX0e9', 'RfPRPcBwou', 'JovROEmaCT', 'KtKRby28k8'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, VID7nldnwpTNG5dFHK.cs High entropy of concatenated method names: 'IFwrmTseM1', 'JYfrNtoJoL', 'mBgHCoMRBq', 'xx1H9rpKwO', 'LIPH7i06GC', 'NeAHpTqRIP', 'kntHLLZ79v', 'di0HUhDIcZ', 'bFjHiyhc2u', 'sT8HnDGMlR'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, GedG3oFM6w0mMFgBOg.cs High entropy of concatenated method names: 'OMGZnAP8mE', 'sbbZoDBbe4', 'Fi3ZgBHMst', 'IWOZInCVXF', 'H2BZaxwwJ2', 'VJkZCs8sJB', 'cERZ9pWVDw', 'rXMZ77ETtu', 'f3cZpVZL18', 'blcZLXA4vQ'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, t5HF8XtGmyEDuidHJ0.cs High entropy of concatenated method names: 'qySYP6I632', 'DevYOOeCf6', 'YveY21qSxF', 'cY1YaoDXd7', 'xMAY9dNc5Z', 'CJ6Y7ry5KK', 'Gj4YL1vdLq', 'iabYUi2U5b', 'r4jYnTmlsQ', 'U51YlixjCl'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, CY9TxsrJ04L7H3BEfv.cs High entropy of concatenated method names: 'kYhd3e1NQg', 'p9tdHSLcEM', 'AYud0v1hLV', 'lpa0X6y3qy', 'mCh0zFHDQE', 'heVdVlVabA', 'w4WdQWp8HX', 'uJ8dEBmyB4', 'MaFdcHK6AI', 'J6GdwlN0gS'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, Xkj9BfuZTQp0G2lgKt.cs High entropy of concatenated method names: 'MhtWgr1cYr', 'rI1WIbktqR', 'LDJWB40vc5', 'b5fWTq5Ymc', 'wCLWslRjuw', 'xKwWkNt5w9', 'rGHWMorWLc', 'TnDW667AAb', 'y8VWeXjtRA', 'dgVWXufZKv'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, CHyvnWHAn70aLa7jWH.cs High entropy of concatenated method names: 'p5jRQ32Mxg', 'GgKRcpscwp', 'ubmRwdVl3G', 'RecR35tAil', 'o3JRWUpe2f', 'VhhRr03CjE', 'JFyR09v6eK', 'RpY8ME4Kky', 'kdH864oVPA', 'wKN8eogT9p'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, kRNAcJvVOeSRFgFQ6J.cs High entropy of concatenated method names: 'ToString', 'F0gAlAcxul', 'BWuAadNFtb', 'z4PACfa1jE', 'vIWA9ldnXq', 'OFDA78MKwZ', 'JAIAp3u0K7', 'K7NALjRZdx', 'KVTAUCJrqI', 'RroAiTWPcH'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, Y71HWoq8alU03bopHX.cs High entropy of concatenated method names: 'Hbs830Uyo2', 'eps8WKnsAI', 'gjj8Hp41pL', 'PuQ8rA2I1h', 'KYp80rRLeO', 'Uer8dR9ndy', 'xL88f7DlSJ', 'rOC8xxkmZj', 'Dxq8jU8Te9', 'X708FMhBRZ'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, GPreDaRCfFsC4saotE.cs High entropy of concatenated method names: 'O7O82kNxOU', 'knJ8aiQnmB', 'jZo8C38Vl7', 'qtK895ktY3', 'wKd8geoEgs', 'mn2878CvQk', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, fykWaJN4YqARddZSYT.cs High entropy of concatenated method names: 'RSGQdN6Aii', 'eBPQfnCA7q', 'E92Qjld9wR', 'QbNQFZKCNK', 'zZ7QZcyNfw', 'KWnQAol8wJ', 'EIdZZyAqXCl8JVkrF1', 'oHaa00ax5nc60rNfT4', 'xaQQQNdMlv', 'RauQcg3RJf'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, vb78FfKwGRxSVQKyGV5.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i6Vugi9GFh', 'TKsuIWiolU', 'DS9uBD69FY', 'om0uT9iCrB', 'sqtus3BkW7', 'FONukN9CW8', 'dZZuMgkZve'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, gjKo6oOIHk6yJCaogO.cs High entropy of concatenated method names: 'Dispose', 'CnJQemUAM1', 'M3dEaJg5f6', 'CLpJJBkt3J', 'gKyQXPBEAk', 'icwQzfUg7R', 'ProcessDialogKey', 'iAOEVS1iMT', 'MQdEQaVB6k', 'lunEEHxh4l'
Source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, v23u6iYSQ5Vfhhyo6Y.cs High entropy of concatenated method names: 'u6QHqnYCjW', 'SVpHSHLtGB', 'NnhHPFW3iE', 'e2MHOC3YlT', 'NauHZwdBpL', 'rFYHAlBq4p', 'iGRH1TaI3D', 'Jq3H8jeAwu', 'C8ZHRXNDTY', 'BrkHuWTDyJ'
Drops PE files
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe File created: C:\Program Files (x86)\DNS Host\dnshost.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpC5F1.tmp"
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run DNS Host Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run DNS Host Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe File opened: C:\Users\user\Desktop\nD2ozRD7MN.exe:Zone.Identifier read attributes | delete Jump to behavior
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: nD2ozRD7MN.exe PID: 1892, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nD2ozRD7MN.exe PID: 7288, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dnshost.exe PID: 8060, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory allocated: 13B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory allocated: 2F70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory allocated: 2DF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory allocated: 98A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory allocated: A8A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory allocated: AAD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory allocated: BAD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory allocated: BF20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory allocated: CF20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory allocated: DF20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory allocated: 19B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory allocated: 33B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory allocated: 31D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory allocated: 9F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory allocated: 2850000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory allocated: 2550000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory allocated: 8A50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory allocated: 9A50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory allocated: 9C60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory allocated: AC60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory allocated: B070000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory allocated: C070000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory allocated: 11B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory allocated: 2C30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory allocated: 4C30000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Memory allocated: 14D0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Memory allocated: 3230000 memory reserve | memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Memory allocated: 1620000 memory reserve | memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Memory allocated: 93F0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Memory allocated: A3F0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Memory allocated: A5F0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Memory allocated: B5F0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Memory allocated: BC00000 memory reserve | memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Memory allocated: CC00000 memory reserve | memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Memory allocated: DC00000 memory reserve | memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Memory allocated: 1300000 memory reserve | memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Memory allocated: 2D90000 memory reserve | memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Memory allocated: 1400000 memory reserve | memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Memory allocated: E90000 memory reserve | memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Memory allocated: 2910000 memory reserve | memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Memory allocated: EF0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Memory allocated: 8C20000 memory reserve | memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Memory allocated: 9C20000 memory reserve | memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Memory allocated: 9E30000 memory reserve | memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Memory allocated: AE30000 memory reserve | memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Memory allocated: B240000 memory reserve | memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Memory allocated: C240000 memory reserve | memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Memory allocated: 2EC0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Memory allocated: 3260000 memory reserve | memory write watch
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Memory allocated: 3080000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6536 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1599 Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Window / User API: threadDelayed 7761 Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Window / User API: threadDelayed 1805 Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Window / User API: foregroundWindowGot 711 Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Window / User API: foregroundWindowGot 931 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3581
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7912
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1537
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe TID: 6556 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7304 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7220 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe TID: 7384 Thread sleep time: -21213755684765971s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe TID: 7332 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7584 Thread sleep count: 3581 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7728 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7652 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe TID: 7512 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe TID: 7704 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7900 Thread sleep count: 7912 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7900 Thread sleep count: 1537 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7956 Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Program Files (x86)\DNS Host\dnshost.exe TID: 7864 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DNS Host\dnshost.exe TID: 8080 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DNS Host\dnshost.exe TID: 8132 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Thread delayed: delay time: 922337203685477
Source: Amcache.hve.25.dr Binary or memory string: VMware
Source: Amcache.hve.25.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.25.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.25.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.25.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.25.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.25.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.25.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.25.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.25.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: nD2ozRD7MN.exe, 00000000.00000002.2037006043.0000000007EA0000.00000004.08000000.00040000.00000000.sdmp, nD2ozRD7MN.exe, 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CnJQemUAM1
Source: Amcache.hve.25.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.25.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: nD2ozRD7MN.exe, 00000005.00000002.3555930412.0000000006A80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.25.dr Binary or memory string: vmci.sys
Source: Amcache.hve.25.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.25.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.25.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.25.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.25.dr Binary or memory string: VMware20,1
Source: Amcache.hve.25.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.25.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.25.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.25.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.25.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.25.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.25.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.25.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.25.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.25.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.25.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe"
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe"
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe" Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe" Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DNS Host\dnshost.exe"
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory written: C:\Users\user\Desktop\nD2ozRD7MN.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Memory written: C:\Users\user\Desktop\nD2ozRD7MN.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Memory written: C:\Program Files (x86)\DNS Host\dnshost.exe base: 400000 value starts with: 4D5A
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Memory written: C:\Program Files (x86)\DNS Host\dnshost.exe base: 400000 value starts with: 4D5A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe" Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process created: C:\Users\user\Desktop\nD2ozRD7MN.exe "C:\Users\user\Desktop\nD2ozRD7MN.exe" Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host" /xml "C:\Users\user\AppData\Local\Temp\tmpC5F1.tmp" Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /create /f /tn "DNS Host Task" /xml "C:\Users\user\AppData\Local\Temp\tmpC8C1.tmp" Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\nD2ozRD7MN.exe" Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Process created: C:\Users\user\Desktop\nD2ozRD7MN.exe "C:\Users\user\Desktop\nD2ozRD7MN.exe" Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Process created: C:\Program Files (x86)\DNS Host\dnshost.exe "C:\Program Files (x86)\DNS Host\dnshost.exe"
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000395A000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000036D4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReqt
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000356A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReqX\W
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000038E0000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000039CE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000038E0000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000039CE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReq
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000035F6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager$
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000038E0000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000395A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerlBeq
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.0000000003614000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReqx
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000038E0000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000036D4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReqP*
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000038A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReqhx
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.0000000003614000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Managerm
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.0000000003526000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReq<
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000036D4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReq@
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000038E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReqX
Source: nD2ozRD7MN.exe, 00000005.00000002.3557721308.000000000784C000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: Program ManagerX
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000395A000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000037A7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReq$
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000037A7000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.0000000003656000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReqd
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000395A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReq(
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000039CE000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.0000000003590000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReq,
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.0000000003656000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReql
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000037A7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReq0
Source: nD2ozRD7MN.exe, 00000005.00000002.3556656955.0000000006C7D000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: Program ManagerH
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000395A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReqT
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000037A7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReq\Q
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000357C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReq}X
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.0000000003614000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReqX
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000037A7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReq\L
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000037A7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReq\
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000038C5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReq4h
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000037A7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReq4(
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000038A9000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000039CE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReq`
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000037A7000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.0000000003614000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000036D4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReq
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000038E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager8
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000037A7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReqD
Source: nD2ozRD7MN.exe, 00000005.00000002.3557295916.0000000007579000.00000004.00000010.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3559273017.0000000007CBC000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: Program ManagerManager
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.0000000003614000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReqH
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000037A7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReq0Z
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.0000000003656000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReqL
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000036D4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReqxDw
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000036D4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReqhfo
Source: nD2ozRD7MN.exe, 00000005.00000002.3555885087.0000000006A7C000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: Program Manager|
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000037A7000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000393A000.00000004.00000800.00020000.00000000.sdmp, nD2ozRD7MN.exe, 00000005.00000002.3543198585.0000000003656000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReqP
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Queries volume information: C:\Users\user\Desktop\nD2ozRD7MN.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Queries volume information: C:\Users\user\Desktop\nD2ozRD7MN.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Queries volume information: C:\Users\user\Desktop\nD2ozRD7MN.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Queries volume information: C:\Users\user\Desktop\nD2ozRD7MN.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Queries volume information: C:\Program Files (x86)\DNS Host\dnshost.exe VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Queries volume information: C:\Program Files (x86)\DNS Host\dnshost.exe VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Queries volume information: C:\Program Files (x86)\DNS Host\dnshost.exe VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Queries volume information: C:\Program Files (x86)\DNS Host\dnshost.exe VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DNS Host\dnshost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Code function: 5_2_078E1D70 GetSystemTimes, 5_2_078E1D70
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.25.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.25.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.25.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.25.dr Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\nD2ozRD7MN.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected Nanocore RAT
Source: Yara match File source: 5.2.nD2ozRD7MN.exe.5cd0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.nD2ozRD7MN.exe.3c84c45.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.nD2ozRD7MN.exe.3c8061c.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nD2ozRD7MN.exe.5cd0000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nD2ozRD7MN.exe.5cd4629.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.nD2ozRD7MN.exe.3c8061c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2136851578.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3543198585.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: nD2ozRD7MN.exe PID: 1892, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nD2ozRD7MN.exe PID: 5016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nD2ozRD7MN.exe PID: 7288, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nD2ozRD7MN.exe PID: 7456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dnshost.exe PID: 7800, type: MEMORYSTR

Remote Access Functionality
barindex
Detected Nanocore Rat
Source: nD2ozRD7MN.exe, 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3557957967.0000000007880000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: nD2ozRD7MN.exe, 00000005.00000002.3557822095.0000000007860000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000045E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3558552439.00000000078F0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3557377899.00000000076D0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3558104090.00000000078A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: nD2ozRD7MN.exe, 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3558267406.00000000078C0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3558019588.0000000007890000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3558638769.0000000007900000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3558861975.0000000007930000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.000000000341D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: nD2ozRD7MN.exe, 00000005.00000002.3553602529.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3553602529.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3549495564.00000000046DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: nD2ozRD7MN.exe, 00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3557767120.0000000007850000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: nD2ozRD7MN.exe, 00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3557903252.0000000007870000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000033B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000005.00000002.3543198585.00000000033B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: nD2ozRD7MN.exe, 00000005.00000002.3557457551.00000000076E0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: nD2ozRD7MN.exe, 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: nD2ozRD7MN.exe, 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dnshost.exe, 00000011.00000002.2136851578.0000000002D91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: dnshost.exe, 00000011.00000002.2136851578.0000000002D91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 5.2.nD2ozRD7MN.exe.5cd0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.nD2ozRD7MN.exe.4075ad0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.nD2ozRD7MN.exe.3c84c45.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.nD2ozRD7MN.exe.4075ad0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.nD2ozRD7MN.exe.3c8061c.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.nD2ozRD7MN.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nD2ozRD7MN.exe.5cd0000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nD2ozRD7MN.exe.3f95ab0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nD2ozRD7MN.exe.5cd4629.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.nD2ozRD7MN.exe.3c7b7e6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.nD2ozRD7MN.exe.41295d0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nD2ozRD7MN.exe.4a9a7a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.nD2ozRD7MN.exe.41295d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.nD2ozRD7MN.exe.3c8061c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nD2ozRD7MN.exe.49b1760.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.nD2ozRD7MN.exe.4a25f80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2062497793.0000000004075000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3553716195.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2110027651.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2062497793.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2112791881.0000000003C39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2022736940.0000000003F79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2112471535.0000000002C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2136851578.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2022736940.00000000047CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3543198585.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: nD2ozRD7MN.exe PID: 1892, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nD2ozRD7MN.exe PID: 5016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nD2ozRD7MN.exe PID: 7288, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nD2ozRD7MN.exe PID: 7456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dnshost.exe PID: 7800, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546575 Sample: nD2ozRD7MN.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 100 68 Multi AV Scanner detection for domain / URL 2->68 70 Suricata IDS alerts for network traffic 2->70 72 Found malware configuration 2->72 74 15 other signatures 2->74 8 nD2ozRD7MN.exe 4 2->8         started        12 nD2ozRD7MN.exe 3 2->12         started        14 dnshost.exe 2->14         started        16 dnshost.exe 2->16         started        process3 file4 64 C:\Users\user\AppData\...\nD2ozRD7MN.exe.log, ASCII 8->64 dropped 82 Detected Nanocore Rat 8->82 84 Uses schtasks.exe or at.exe to add and modify task schedules 8->84 86 Adds a directory exclusion to Windows Defender 8->86 18 nD2ozRD7MN.exe 1 15 8->18         started        23 powershell.exe 23 8->23         started        88 Injects a PE file into a foreign processes 12->88 25 powershell.exe 12->25         started        27 nD2ozRD7MN.exe 2 12->27         started        29 powershell.exe 14->29         started        31 dnshost.exe 14->31         started        33 dnshost.exe 16->33         started        signatures5 process6 dnsIp7 66 66.63.187.113, 1664, 49707, 49710 ASN-QUADRANET-GLOBALUS United States 18->66 54 C:\Program Files (x86)\DNS Host\dnshost.exe, PE32 18->54 dropped 56 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 18->56 dropped 58 C:\Users\user\AppData\Local\...\tmpC5F1.tmp, XML 18->58 dropped 60 C:\...\dnshost.exe:Zone.Identifier, ASCII 18->60 dropped 76 Detected Nanocore Rat 18->76 78 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->78 35 WerFault.exe 18->35         started        38 schtasks.exe 1 18->38         started        40 schtasks.exe 1 18->40         started        42 conhost.exe 23->42         started        80 Loading BitLocker PowerShell Module 25->80 44 conhost.exe 25->44         started        46 WmiPrvSE.exe 25->46         started        48 conhost.exe 29->48         started        file8 signatures9 process10 file11 62 C:\ProgramData\Microsoft\...\Report.wer, Unicode 35->62 dropped 50 conhost.exe 38->50         started        52 conhost.exe 40->52         started        process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
66.63.187.113
 unknown United States
8100 ASN-QUADRANET-GLOBALUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
66.63.187.113 true unknown