Analysis Report qnJXJsqt1M.exe

Overview

General Information

Sample Name:	qnJXJsqt1M.exe
Analysis ID:	383820
MD5:	e98ce8a425d942e7337ecbd309707e25
SHA1:	39e794cff61991cbcc073db38bfbf1e496953106
SHA256:	34d2073606f34324e1ba7146defa9f69e387059b64d1bfb28a5c9f37b0fc9436
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Allocates memory in foreign processes

AutoIt script contains suspicious strings

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains strange resources

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: qnJXJsqt1M.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe

Avira: detection malicious, Label: DR/AutoIt.Gen8

Found malware configuration

Source: 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "2ad4e32f-c687-4329-b5e5-302ef0e0", "Group": "Default", "Domain1": "nickdns22.duckdns.org", "Domain2": "127.0.0.1", "Port": 1896, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for domain / URL

Source: nickdns22.duckdns.org	Virustotal: Detection: 7%			Perma Link
Source: nickdns22.duckdns.org	Virustotal: Detection: 7%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Virustotal: Detection: 55%			Perma Link
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: qnJXJsqt1M.exe	Virustotal: Detection: 67%	Perma Link
Source: qnJXJsqt1M.exe	Metadefender: Detection: 37%	Perma Link
Source: qnJXJsqt1M.exe	ReversingLabs: Detection: 79%

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271444050.00000000044E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.269052958.000000000454C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.237700588.00000000017A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.232372398.000000000149D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.286334104.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271541337.00000000044B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.507400342.0000000005E00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268804355.00000000044B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.232471395.000000000173A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.237121174.00000000017D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271021731.0000000001204000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.236754982.0000000004671000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.237756346.000000000149D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268781078.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.287492907.0000000003581000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239247131.000000000176C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.236584811.00000000016C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268745620.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.274048307.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.269076218.000000000126A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268921996.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.234856164.0000000001739000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.272132273.00000000011A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271693708.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.232598333.000000000149D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.235161139.00000000016F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.233676128.000000000176D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.498286656.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5796, type: MEMORY
Source: Yara match	File source: Process Memory Space: qnJXJsqt1M.exe PID: 2764, type: MEMORY
Source: Yara match	File source: Process Memory Space: znytpstdcrwsisx.exe PID: 3192, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4156, type: MEMORY
Source: Yara match	File source: 11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.znytpstdcrwsisx.exe.11d0fe8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.17297f8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45ceac4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45d30ed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.5e00000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45ceac4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.176cb50.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.42430ed.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.176cb50.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.423eac4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.176cb50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45c9c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.423eac4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.5e04629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.5e00000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.16ec7e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.17293d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.17293d8.0.unpack, type: UNPACKEDPE

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.2.znytpstdcrwsisx.exe.d50000.0.unpack	Avira: Label: DR/AutoIt.Gen8
Source: 12.2.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.znytpstdcrwsisx.exe.d50000.0.unpack	Avira: Label: DR/AutoIt.Gen8
Source: 0.2.qnJXJsqt1M.exe.ad0000.0.unpack	Avira: Label: DR/AutoIt.Gen8
Source: 0.0.qnJXJsqt1M.exe.ad0000.0.unpack	Avira: Label: DR/AutoIt.Gen8
Source: 1.2.MSBuild.exe.5e00000.9.unpack	Avira: Label: TR/NanoCore.fadte

Compliance:

Uses 32bit PE files

Source: qnJXJsqt1M.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: indows\MSBuild.pdbpdbild.pdbs source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\MSBuild.pdbl source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\exe\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
Source:	Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: MSBuild.exe, 00000001.00000002.507151725.00000000059F0000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B163F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_00B163F9
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B16CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B16CA9
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B21B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B21B2F
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B160DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_00B160DD
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B1EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B1EB60
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B1F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00B1F5FA
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B1F56F FindFirstFileW,FindClose,	0_2_00B1F56F
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D96CA9 GetFileAttributesW,FindFirstFileW,FindClose,	11_2_00D96CA9

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: nickdns22.duckdns.org
Source: Malware configuration extractor	URLs: 127.0.0.1

Uses dynamic DNS services

Source: unknown

DNS query: name: nickdns22.duckdns.org

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WOWUS WOWUS

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.137
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.137
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.3
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.3
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.3
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.3
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B24EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00B24EB5

Source: unknown

DNS traffic detected: queries for: nickdns22.duckdns.org

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49678
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49680
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B26B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00B26B0C

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

0_2_00B26B0C

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B12B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00B12B37

Installs a raw input device (often for capturing keystrokes)

Source: MSBuild.exe, 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B3F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00B3F7FF

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271444050.00000000044E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.269052958.000000000454C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.237700588.00000000017A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.232372398.000000000149D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.286334104.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271541337.00000000044B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.507400342.0000000005E00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268804355.00000000044B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.232471395.000000000173A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.237121174.00000000017D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271021731.0000000001204000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.236754982.0000000004671000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.237756346.000000000149D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268781078.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.287492907.0000000003581000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239247131.000000000176C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.236584811.00000000016C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268745620.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.274048307.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.269076218.000000000126A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268921996.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.234856164.0000000001739000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.272132273.00000000011A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271693708.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.232598333.000000000149D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.235161139.00000000016F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.233676128.000000000176D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.498286656.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5796, type: MEMORY
Source: Yara match	File source: Process Memory Space: qnJXJsqt1M.exe PID: 2764, type: MEMORY
Source: Yara match	File source: Process Memory Space: znytpstdcrwsisx.exe PID: 3192, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4156, type: MEMORY
Source: Yara match	File source: 11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.znytpstdcrwsisx.exe.11d0fe8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.17297f8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45ceac4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45d30ed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.5e00000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45ceac4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.176cb50.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.42430ed.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.176cb50.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.423eac4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.176cb50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45c9c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.423eac4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.5e04629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.5e00000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.16ec7e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.17293d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.17293d8.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000003.271444050.00000000044E6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.271444050.00000000044E6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000003.269052958.000000000454C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.269052958.000000000454C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.237700588.00000000017A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.237700588.00000000017A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.232372398.000000000149D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.232372398.000000000149D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.286334104.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.286334104.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000003.271541337.00000000044B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.271541337.00000000044B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.507400342.0000000005E00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.268804355.00000000044B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.268804355.00000000044B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.232471395.000000000173A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.232471395.000000000173A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.237121174.00000000017D3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.237121174.00000000017D3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000003.271021731.0000000001204000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.271021731.0000000001204000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.236754982.0000000004671000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.236754982.0000000004671000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.237756346.000000000149D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.237756346.000000000149D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000003.268781078.00000000011D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.268781078.00000000011D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.239247131.000000000176C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.239247131.000000000176C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.236584811.00000000016C4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.236584811.00000000016C4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000003.268745620.00000000011D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.268745620.00000000011D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000003.274048307.00000000011D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.274048307.00000000011D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000003.269076218.000000000126A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.269076218.000000000126A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000003.268921996.0000000004481000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.268921996.0000000004481000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.234856164.0000000001739000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.234856164.0000000001739000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000003.272132273.00000000011A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.272132273.00000000011A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000003.271693708.0000000004481000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.271693708.0000000004481000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.232598333.000000000149D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.232598333.000000000149D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.507018944.0000000005610000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.235161139.00000000016F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.235161139.00000000016F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.233676128.000000000176D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.233676128.000000000176D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.498286656.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.498286656.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSBuild.exe PID: 5796, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: MSBuild.exe PID: 5796, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: qnJXJsqt1M.exe PID: 2764, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: qnJXJsqt1M.exe PID: 2764, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: znytpstdcrwsisx.exe PID: 3192, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: znytpstdcrwsisx.exe PID: 3192, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSBuild.exe PID: 4156, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: MSBuild.exe PID: 4156, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.MSBuild.exe.35a3c74.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.qnJXJsqt1M.exe.17297f8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.17297f8.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.MSBuild.exe.45ceac4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.45d30ed.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.35917f0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.MSBuild.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.MSBuild.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.MSBuild.exe.5e00000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.45ceac4.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.176cb50.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.176cb50.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.MSBuild.exe.42430ed.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.MSBuild.exe.5610000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.176cb50.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.176cb50.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.MSBuild.exe.423eac4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.MSBuild.exe.3201358.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.176cb50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.176cb50.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.MSBuild.exe.45c9c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.45c9c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.qnJXJsqt1M.exe.1739f48.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.1739f48.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.MSBuild.exe.423eac4.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.MSBuild.exe.5e04629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.1739f48.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.1739f48.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.MSBuild.exe.5e00000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.1739f48.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.1739f48.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.qnJXJsqt1M.exe.17297f8.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.1739f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.1739f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.qnJXJsqt1M.exe.16ec7e0.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.16ec7e0.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.qnJXJsqt1M.exe.17293d8.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.17293d8.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.qnJXJsqt1M.exe.17293d8.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.17293d8.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

AutoIt script contains suspicious strings

Source: qnJXJsqt1M.exe	AutoIt Script: T0JYH = $I31330D6 ("vmtoolsd.exera2khkzkmkkprl7yom4g
Source: qnJXJsqt1M.exe	AutoIt Script: EN $S32383033JPB = DLLCALLADDRESS ($C31333233O8ISGY ,
Source: znytpstdcrwsisx.exe.0.dr	AutoIt Script: T0JYH = $I31330D6 ("vmtoolsd.exera2khkzkmkkprl7yom4g
Source: znytpstdcrwsisx.exe.0.dr	AutoIt Script: EN $S32383033JPB = DLLCALLADDRESS ($C31333233O8ISGY ,

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00AD3D19
Source: qnJXJsqt1M.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: qnJXJsqt1M.exe, 00000000.00000000.229366699.0000000000B7E000.00000002.00020000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: znytpstdcrwsisx.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: znytpstdcrwsisx.exe, 0000000B.00000000.259387793.0000000000DFE000.00000002.00020000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: qnJXJsqt1M.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: qnJXJsqt1M.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_054214FA NtQuerySystemInformation,		1_2_054214FA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_054214BF NtQuerySystemInformation,		1_2_054214BF

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B16685: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00B16685

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B0ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00B0ACC5

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B179D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00B179D3

Detected potential crypto function

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00ADE3B0	0_2_00ADE3B0
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AFB043	0_2_00AFB043
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AEB11F	0_2_00AEB11F
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AE3200	0_2_00AE3200
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AE3B70	0_2_00AE3B70
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B0410F	0_2_00B0410F
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AF02A4	0_2_00AF02A4
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B0038E	0_2_00B0038E
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AF06D9	0_2_00AF06D9
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B0467F	0_2_00B0467F
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B3AACE	0_2_00B3AACE
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B04BEF	0_2_00B04BEF
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AFCCC1	0_2_00AFCCC1
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AD6F07	0_2_00AD6F07
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00ADAF50	0_2_00ADAF50
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B331BC	0_2_00B331BC
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AFD1B9	0_2_00AFD1B9
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AF123A	0_2_00AF123A
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B0724D	0_2_00B0724D
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AD93F0	0_2_00AD93F0
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B113CA	0_2_00B113CA
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AEF563	0_2_00AEF563
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AD96C0	0_2_00AD96C0
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B1B6CC	0_2_00B1B6CC
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AD77B0	0_2_00AD77B0
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B3F7FF	0_2_00B3F7FF
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B079C9	0_2_00B079C9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_05303850	1_2_05303850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_053023A0	1_2_053023A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_05302FA8	1_2_05302FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_05309278	1_2_05309278
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_05308678	1_2_05308678
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_0530AED8	1_2_0530AED8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_0530306F	1_2_0530306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_0530933F	1_2_0530933F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_05309B20	1_2_05309B20
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_053032BB	1_2_053032BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 5_2_02C60708	5_2_02C60708
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D63200	11_2_00D63200
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D5E3B0	11_2_00D5E3B0
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D7B043	11_2_00D7B043
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D8410F	11_2_00D8410F
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D84BEF	11_2_00D84BEF
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D59B60	11_2_00D59B60
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D6F563	11_2_00D6F563
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D79ED0	11_2_00D79ED0
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D577B0	11_2_00D577B0
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D56F07	11_2_00D56F07
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_05743850	12_2_05743850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_057423A0	12_2_057423A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_05742FA8	12_2_05742FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_0574306F	12_2_0574306F

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: String function: 00AEEC2F appears 63 times
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: String function: 00AF6AC0 appears 32 times

PE file contains strange resources

Source: qnJXJsqt1M.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: qnJXJsqt1M.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: qnJXJsqt1M.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: qnJXJsqt1M.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Uses 32bit PE files

Source: qnJXJsqt1M.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Yara signature match

Source: 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000003.271444050.00000000044E6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.271444050.00000000044E6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000003.269052958.000000000454C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.269052958.000000000454C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.237700588.00000000017A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.237700588.00000000017A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.232372398.000000000149D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.232372398.000000000149D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.286334104.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.286334104.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000003.271541337.00000000044B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.271541337.00000000044B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.507400342.0000000005E00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.507400342.0000000005E00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000003.268804355.00000000044B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.268804355.00000000044B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.232471395.000000000173A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.232471395.000000000173A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.237121174.00000000017D3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.237121174.00000000017D3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000003.271021731.0000000001204000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.271021731.0000000001204000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.236754982.0000000004671000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.236754982.0000000004671000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.237756346.000000000149D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.237756346.000000000149D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000003.268781078.00000000011D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.268781078.00000000011D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.239247131.000000000176C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.239247131.000000000176C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.236584811.00000000016C4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.236584811.00000000016C4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000003.268745620.00000000011D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.268745620.00000000011D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000003.274048307.00000000011D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.274048307.00000000011D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000003.269076218.000000000126A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.269076218.000000000126A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000003.268921996.0000000004481000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.268921996.0000000004481000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.234856164.0000000001739000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.234856164.0000000001739000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000003.272132273.00000000011A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.272132273.00000000011A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000003.271693708.0000000004481000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.271693708.0000000004481000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.232598333.000000000149D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.232598333.000000000149D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.507018944.0000000005610000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.507018944.0000000005610000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000003.235161139.00000000016F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.235161139.00000000016F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.233676128.000000000176D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.233676128.000000000176D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.498286656.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.498286656.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: MSBuild.exe PID: 5796, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: MSBuild.exe PID: 5796, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: qnJXJsqt1M.exe PID: 2764, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: qnJXJsqt1M.exe PID: 2764, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: znytpstdcrwsisx.exe PID: 3192, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: znytpstdcrwsisx.exe PID: 3192, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: MSBuild.exe PID: 4156, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: MSBuild.exe PID: 4156, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znytpstdcrwsisx.fr.url, type: DROPPED	Matched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: dropped/znytpstdcrwsisx.fr.url, type: DROPPED	Matched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.MSBuild.exe.35a3c74.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.MSBuild.exe.35a3c74.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.qnJXJsqt1M.exe.17297f8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.qnJXJsqt1M.exe.17297f8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.qnJXJsqt1M.exe.17297f8.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.MSBuild.exe.45ceac4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.MSBuild.exe.45ceac4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.MSBuild.exe.45d30ed.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.MSBuild.exe.45d30ed.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.MSBuild.exe.35917f0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.MSBuild.exe.35917f0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.MSBuild.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.MSBuild.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.MSBuild.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.MSBuild.exe.5e00000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.MSBuild.exe.5e00000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.MSBuild.exe.45ceac4.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.MSBuild.exe.45ceac4.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.qnJXJsqt1M.exe.176cb50.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.qnJXJsqt1M.exe.176cb50.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.qnJXJsqt1M.exe.176cb50.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.MSBuild.exe.42430ed.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.MSBuild.exe.42430ed.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.MSBuild.exe.5610000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.MSBuild.exe.5610000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.qnJXJsqt1M.exe.176cb50.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.qnJXJsqt1M.exe.176cb50.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.qnJXJsqt1M.exe.176cb50.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.MSBuild.exe.423eac4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.MSBuild.exe.423eac4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.MSBuild.exe.3201358.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.MSBuild.exe.3201358.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.qnJXJsqt1M.exe.176cb50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.qnJXJsqt1M.exe.176cb50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.qnJXJsqt1M.exe.176cb50.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.MSBuild.exe.45c9c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.MSBuild.exe.45c9c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.MSBuild.exe.45c9c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.qnJXJsqt1M.exe.1739f48.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.qnJXJsqt1M.exe.1739f48.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.qnJXJsqt1M.exe.1739f48.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.MSBuild.exe.423eac4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.MSBuild.exe.423eac4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.MSBuild.exe.5e04629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.MSBuild.exe.5e04629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.qnJXJsqt1M.exe.1739f48.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.qnJXJsqt1M.exe.1739f48.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.qnJXJsqt1M.exe.1739f48.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.MSBuild.exe.5e00000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.MSBuild.exe.5e00000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.qnJXJsqt1M.exe.1739f48.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.qnJXJsqt1M.exe.1739f48.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.qnJXJsqt1M.exe.1739f48.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.qnJXJsqt1M.exe.17297f8.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.qnJXJsqt1M.exe.1739f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.qnJXJsqt1M.exe.1739f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.qnJXJsqt1M.exe.1739f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.qnJXJsqt1M.exe.16ec7e0.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.qnJXJsqt1M.exe.16ec7e0.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.qnJXJsqt1M.exe.17293d8.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.qnJXJsqt1M.exe.17293d8.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.qnJXJsqt1M.exe.17293d8.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.qnJXJsqt1M.exe.17293d8.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: MSBuild.exe, 00000005.00000002.246059966.00000000030E1000.00000004.00000001.sdmp

Binary or memory string: *.sln

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/10@13/3

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B1CE7A GetLastError,FormatMessageW,

0_2_00B1CE7A

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B0AB84 AdjustTokenPrivileges,CloseHandle,	0_2_00B0AB84
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B0B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_00B0B134
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_054212BA AdjustTokenPrivileges,	1_2_054212BA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_05421283 AdjustTokenPrivileges,	1_2_05421283

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B1E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00B1E1FD

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B16532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,FindCloseChangeNotification,

0_2_00B16532

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B2C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_00B2C18C

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00AD406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00AD406B

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

File created: C:\Users\user\AppData\Roaming\hdoydskbdx

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5484:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{2ad4e32f-c687-4329-b5e5-302ef0e0906d}
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

File created: C:\Users\user~1\AppData\Local\Temp\autB7CF.tmp

Jump to behavior

Source: qnJXJsqt1M.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: qnJXJsqt1M.exe	Virustotal: Detection: 67%
Source: qnJXJsqt1M.exe	Metadefender: Detection: 37%
Source: qnJXJsqt1M.exe	ReversingLabs: Detection: 79%

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

File read: C:\Users\user\Desktop\qnJXJsqt1M.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\qnJXJsqt1M.exe 'C:\Users\user\Desktop\qnJXJsqt1M.exe'
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC4DF.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe 'C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe'
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC4DF.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: qnJXJsqt1M.exe

Static file information: File size 1253376 > 1048576

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: qnJXJsqt1M.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: qnJXJsqt1M.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: qnJXJsqt1M.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: qnJXJsqt1M.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: qnJXJsqt1M.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: qnJXJsqt1M.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: qnJXJsqt1M.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: indows\MSBuild.pdbpdbild.pdbs source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\MSBuild.pdbl source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\exe\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
Source:	Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: MSBuild.exe, 00000001.00000002.507151725.00000000059F0000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp

Source: qnJXJsqt1M.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: qnJXJsqt1M.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: qnJXJsqt1M.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: qnJXJsqt1M.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: qnJXJsqt1M.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

.NET source code contains potential unpacker

Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00AEE01E LoadLibraryA,GetProcAddress,

0_2_00AEE01E

PE file contains an invalid checksum

Source: znytpstdcrwsisx.exe.0.dr	Static PE information: real checksum: 0x12035b should be: 0x140fd1
Source: qnJXJsqt1M.exe	Static PE information: real checksum: 0x12035b should be: 0x133735

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AF6B05 push ecx; ret	0_2_00AF6B18
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_01309E34 pushfd ; retf	1_2_01309E3D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_01309D5C push 780130CBh; retf	1_2_01309D61
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_013074B8 push ebp; ret	1_2_013074B9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_013074AC push ecx; ret	1_2_013074AD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_0130769F push es; ret	1_2_013076A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_013062D1 push ebx; retf	1_2_013062D2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_013062D4 push ebx; retf	1_2_013062D6
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D76B05 push ecx; ret	11_2_00D76B18

Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

File created: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC4DF.tmp'

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znytpstdcrwsisx.fr.url

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znytpstdcrwsisx.fr.url

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AEEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00AEEB42
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B38111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00B38111

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00AF123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00AF123A

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: znytpstdcrwsisx.exe, 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp	Binary or memory string: SBIECTRL.EXE
Source: qnJXJsqt1M.exe, 00000000.00000003.237907069.0000000001686000.00000004.00000001.sdmp	Binary or memory string: SBIECTRL.EXEI0

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Window / User API: threadDelayed 407			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Window / User API: foregroundWindowGot 921			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 2116	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 972	Thread sleep time: -160000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 5016	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 4364	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B163F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_00B163F9
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B16CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B16CA9
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B21B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B21B2F
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B160DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_00B160DD
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B1EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B1EB60
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B1F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00B1F5FA
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B1F56F FindFirstFileW,FindClose,	0_2_00B1F56F
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D96CA9 GetFileAttributesW,FindFirstFileW,FindClose,	11_2_00D96CA9

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00AEDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AEDDC0

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: MSBuild.exe, 00000001.00000002.507773462.00000000066B0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: MSBuild.exe, 00000001.00000002.500546420.0000000001188000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6>
Source: znytpstdcrwsisx.exe, 0000000B.00000003.263480131.0000000001004000.00000004.00000001.sdmp	Binary or memory string: vmtoolsd.exera2khkzkmkkprl7yom4gi135e3nfurFkrgm
Source: qnJXJsqt1M.exe, 00000000.00000003.237907069.0000000001686000.00000004.00000001.sdmp	Binary or memory string: vmtoolsd.exe
Source: znytpstdcrwsisx.exe, 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp	Binary or memory string: vmtoolsd.exeI0
Source: MSBuild.exe, 00000001.00000002.507773462.00000000066B0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: MSBuild.exe, 00000001.00000002.507773462.00000000066B0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: qnJXJsqt1M.exe, 00000000.00000003.238668684.0000000001563000.00000004.00000001.sdmp	Binary or memory string: vmtoolsd.exera2khkzkmkkprl7yom4gi135e3nfur
Source: MSBuild.exe, 00000001.00000002.507773462.00000000066B0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B26AAF BlockInput,

0_2_00B26AAF

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00AD3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00AD3D19

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B03920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00B03920

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00AEE01E LoadLibraryA,GetProcAddress,

0_2_00AEE01E

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D405B5 mov edx, dword ptr fs:[00000030h]	11_2_00D405B5
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D40175 mov edx, dword ptr fs:[00000030h]	11_2_00D40175
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D40175 mov edx, dword ptr fs:[00000030h]	11_2_00D40175
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D40405 mov edx, dword ptr fs:[00000030h]	11_2_00D40405
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D40365 mov edx, dword ptr fs:[00000030h]	11_2_00D40365

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B0A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00B0A66C

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AF8189 SetUnhandledExceptionFilter,	0_2_00AF8189
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AF81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00AF81AC
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D781AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00D781AC

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: D7E008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 420000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 422000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 10C8008	Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B0B106 LogonUserW,

0_2_00B0B106

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00AD3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00AD3D19

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00AEEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00AEEB42

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B174BB mouse_event,

0_2_00B174BB

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC4DF.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Jump to behavior

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

0_2_00B0A66C

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B171FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00B171FA

Source: MSBuild.exe, 00000001.00000002.501791419.00000000019A0000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: MSBuild.exe, 00000001.00000002.506079771.0000000003478000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: qnJXJsqt1M.exe, MSBuild.exe, 00000001.00000002.501791419.00000000019A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: MSBuild.exe, 00000001.00000002.501791419.00000000019A0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: MSBuild.exe, 00000001.00000002.506079771.0000000003478000.00000004.00000001.sdmp	Binary or memory string: Program Manager@u
Source: qnJXJsqt1M.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Source: MSBuild.exe, 00000001.00000002.501791419.00000000019A0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: MSBuild.exe, 00000001.00000002.500546420.0000000001188000.00000004.00000020.sdmp	Binary or memory string: Program Managersoft.NET\Framework\v2.0.50727\MSBuild.exeD;

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00AF65C4 cpuid

0_2_00AF65C4

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B2091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

0_2_00B2091D

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B4B340 GetUserNameW,

0_2_00B4B340

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00AEDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AEDDC0

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271444050.00000000044E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.269052958.000000000454C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.237700588.00000000017A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.232372398.000000000149D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.286334104.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271541337.00000000044B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.507400342.0000000005E00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268804355.00000000044B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.232471395.000000000173A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.237121174.00000000017D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271021731.0000000001204000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.236754982.0000000004671000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.237756346.000000000149D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268781078.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.287492907.0000000003581000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239247131.000000000176C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.236584811.00000000016C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268745620.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.274048307.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.269076218.000000000126A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268921996.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.234856164.0000000001739000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.272132273.00000000011A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271693708.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.232598333.000000000149D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.235161139.00000000016F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.233676128.000000000176D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.498286656.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5796, type: MEMORY
Source: Yara match	File source: Process Memory Space: qnJXJsqt1M.exe PID: 2764, type: MEMORY
Source: Yara match	File source: Process Memory Space: znytpstdcrwsisx.exe PID: 3192, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4156, type: MEMORY
Source: Yara match	File source: 11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.znytpstdcrwsisx.exe.11d0fe8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.17297f8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45ceac4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45d30ed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.5e00000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45ceac4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.176cb50.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.42430ed.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.176cb50.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.423eac4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.176cb50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45c9c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.423eac4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.5e04629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.5e00000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.16ec7e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.17293d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.17293d8.0.unpack, type: UNPACKEDPE

OS version to string mapping found (often used in BOTs)

Source: qnJXJsqt1M.exe	Binary or memory string: WIN_81
Source: qnJXJsqt1M.exe	Binary or memory string: WIN_XP
Source: qnJXJsqt1M.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: znytpstdcrwsisx.exe, 0000000B.00000003.263480131.0000000001004000.00000004.00000001.sdmp	Binary or memory string: t0lj1bz7kyfvrnjhanglri8hhtcuWIN_7rs4zlupb30fv5a
Source: qnJXJsqt1M.exe	Binary or memory string: WIN_XPe
Source: qnJXJsqt1M.exe	Binary or memory string: WIN_VISTA
Source: qnJXJsqt1M.exe	Binary or memory string: WIN_7
Source: qnJXJsqt1M.exe	Binary or memory string: WIN_8
Source: qnJXJsqt1M.exe, 00000000.00000002.241202485.0000000001603000.00000004.00000001.sdmp	Binary or memory string: t0lj1bz7kyfvrnjhanglri8hhtcuWIN_7rs4zlupb30fv5ap

Remote Access Functionality:

Detected Nanocore Rat

Source: qnJXJsqt1M.exe, 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: znytpstdcrwsisx.exe, 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271444050.00000000044E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.269052958.000000000454C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.237700588.00000000017A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.232372398.000000000149D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.286334104.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271541337.00000000044B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.507400342.0000000005E00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268804355.00000000044B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.232471395.000000000173A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.237121174.00000000017D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271021731.0000000001204000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.236754982.0000000004671000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.237756346.000000000149D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268781078.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.287492907.0000000003581000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239247131.000000000176C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.236584811.00000000016C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268745620.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.274048307.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.269076218.000000000126A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268921996.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.234856164.0000000001739000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.272132273.00000000011A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271693708.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.232598333.000000000149D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.235161139.00000000016F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.233676128.000000000176D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.498286656.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5796, type: MEMORY
Source: Yara match	File source: Process Memory Space: qnJXJsqt1M.exe PID: 2764, type: MEMORY
Source: Yara match	File source: Process Memory Space: znytpstdcrwsisx.exe PID: 3192, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4156, type: MEMORY
Source: Yara match	File source: 11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.znytpstdcrwsisx.exe.11d0fe8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.17297f8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45ceac4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45d30ed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.5e00000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45ceac4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.176cb50.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.42430ed.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.176cb50.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.423eac4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.176cb50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45c9c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.423eac4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.5e04629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.5e00000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.16ec7e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.17293d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.17293d8.0.unpack, type: UNPACKEDPE

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B28C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00B28C4F
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B2923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00B2923B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_0542275A bind,	1_2_0542275A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_05422708 bind,	1_2_05422708

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.169.69.26	nickdns22.duckdns.org	United States		23033	WOWUS	true

Private

IP
192.168.2.1
127.0.0.1

Contacted Domains

Name	IP	Active
nickdns22.duckdns.org	192.169.69.26	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
nickdns22.duckdns.org	true	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
127.0.0.1	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: qnJXJsqt1M.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe

Avira: detection malicious, Label: DR/AutoIt.Gen8

Found malware configuration

Source: 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmp

Multi AV Scanner detection for domain / URL

Source: nickdns22.duckdns.org	Virustotal: Detection: 7%			Perma Link
Source: nickdns22.duckdns.org	Virustotal: Detection: 7%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Virustotal: Detection: 55%			Perma Link
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: qnJXJsqt1M.exe	Virustotal: Detection: 67%	Perma Link
Source: qnJXJsqt1M.exe	Metadefender: Detection: 37%	Perma Link
Source: qnJXJsqt1M.exe	ReversingLabs: Detection: 79%

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271444050.00000000044E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.269052958.000000000454C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.237700588.00000000017A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.232372398.000000000149D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.286334104.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271541337.00000000044B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.507400342.0000000005E00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268804355.00000000044B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.232471395.000000000173A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.237121174.00000000017D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271021731.0000000001204000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.236754982.0000000004671000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.237756346.000000000149D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268781078.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.287492907.0000000003581000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239247131.000000000176C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.236584811.00000000016C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268745620.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.274048307.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.269076218.000000000126A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268921996.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.234856164.0000000001739000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.272132273.00000000011A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271693708.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.232598333.000000000149D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.235161139.00000000016F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.233676128.000000000176D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.498286656.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5796, type: MEMORY
Source: Yara match	File source: Process Memory Space: qnJXJsqt1M.exe PID: 2764, type: MEMORY
Source: Yara match	File source: Process Memory Space: znytpstdcrwsisx.exe PID: 3192, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4156, type: MEMORY
Source: Yara match	File source: 11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.znytpstdcrwsisx.exe.11d0fe8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.17297f8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45ceac4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45d30ed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.5e00000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45ceac4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.176cb50.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.42430ed.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.176cb50.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.423eac4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.176cb50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45c9c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.423eac4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.5e04629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.5e00000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.16ec7e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.17293d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.17293d8.0.unpack, type: UNPACKEDPE

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.2.znytpstdcrwsisx.exe.d50000.0.unpack	Avira: Label: DR/AutoIt.Gen8
Source: 12.2.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.znytpstdcrwsisx.exe.d50000.0.unpack	Avira: Label: DR/AutoIt.Gen8
Source: 0.2.qnJXJsqt1M.exe.ad0000.0.unpack	Avira: Label: DR/AutoIt.Gen8
Source: 0.0.qnJXJsqt1M.exe.ad0000.0.unpack	Avira: Label: DR/AutoIt.Gen8
Source: 1.2.MSBuild.exe.5e00000.9.unpack	Avira: Label: TR/NanoCore.fadte

Compliance:

Uses 32bit PE files

Source: qnJXJsqt1M.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: indows\MSBuild.pdbpdbild.pdbs source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\MSBuild.pdbl source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\exe\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
Source:	Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: MSBuild.exe, 00000001.00000002.507151725.00000000059F0000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B163F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_00B163F9
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B16CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B16CA9
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B21B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B21B2F
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B160DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_00B160DD
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B1EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B1EB60
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B1F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00B1F5FA
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B1F56F FindFirstFileW,FindClose,	0_2_00B1F56F
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D96CA9 GetFileAttributesW,FindFirstFileW,FindClose,	11_2_00D96CA9

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: nickdns22.duckdns.org
Source: Malware configuration extractor	URLs: 127.0.0.1

Uses dynamic DNS services

Source: unknown

DNS query: name: nickdns22.duckdns.org

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WOWUS WOWUS

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.137
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.137
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.3
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.3
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.3
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.160.3
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B24EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00B24EB5

Source: unknown

DNS traffic detected: queries for: nickdns22.duckdns.org

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49678
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49680
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

0_2_00B26B0C

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

0_2_00B26B0C

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

0_2_00B12B37

Installs a raw input device (often for capturing keystrokes)

Source: MSBuild.exe, 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

0_2_00B3F7FF

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271444050.00000000044E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.269052958.000000000454C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.237700588.00000000017A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.232372398.000000000149D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.286334104.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271541337.00000000044B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.507400342.0000000005E00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268804355.00000000044B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.232471395.000000000173A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.237121174.00000000017D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271021731.0000000001204000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.236754982.0000000004671000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.237756346.000000000149D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268781078.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.287492907.0000000003581000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239247131.000000000176C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.236584811.00000000016C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268745620.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.274048307.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.269076218.000000000126A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268921996.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.234856164.0000000001739000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.272132273.00000000011A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271693708.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.232598333.000000000149D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.235161139.00000000016F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.233676128.000000000176D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.498286656.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5796, type: MEMORY
Source: Yara match	File source: Process Memory Space: qnJXJsqt1M.exe PID: 2764, type: MEMORY
Source: Yara match	File source: Process Memory Space: znytpstdcrwsisx.exe PID: 3192, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4156, type: MEMORY
Source: Yara match	File source: 11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.znytpstdcrwsisx.exe.11d0fe8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.17297f8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45ceac4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45d30ed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.5e00000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45ceac4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.176cb50.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.42430ed.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.176cb50.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.423eac4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.176cb50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45c9c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.423eac4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.5e04629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.5e00000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.16ec7e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.17293d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.17293d8.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000003.271444050.00000000044E6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.271444050.00000000044E6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000003.269052958.000000000454C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.269052958.000000000454C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.237700588.00000000017A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.237700588.00000000017A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.232372398.000000000149D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.232372398.000000000149D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.286334104.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.286334104.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000003.271541337.00000000044B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.271541337.00000000044B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.507400342.0000000005E00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.268804355.00000000044B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.268804355.00000000044B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.232471395.000000000173A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.232471395.000000000173A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.237121174.00000000017D3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.237121174.00000000017D3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000003.271021731.0000000001204000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.271021731.0000000001204000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.236754982.0000000004671000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.236754982.0000000004671000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.237756346.000000000149D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.237756346.000000000149D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000003.268781078.00000000011D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.268781078.00000000011D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.239247131.000000000176C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.239247131.000000000176C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.236584811.00000000016C4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.236584811.00000000016C4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000003.268745620.00000000011D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.268745620.00000000011D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000003.274048307.00000000011D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.274048307.00000000011D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000003.269076218.000000000126A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.269076218.000000000126A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000003.268921996.0000000004481000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.268921996.0000000004481000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.234856164.0000000001739000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.234856164.0000000001739000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000003.272132273.00000000011A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.272132273.00000000011A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000003.271693708.0000000004481000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000003.271693708.0000000004481000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.232598333.000000000149D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.232598333.000000000149D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.507018944.0000000005610000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.235161139.00000000016F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.235161139.00000000016F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.233676128.000000000176D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.233676128.000000000176D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.498286656.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.498286656.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSBuild.exe PID: 5796, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: MSBuild.exe PID: 5796, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: qnJXJsqt1M.exe PID: 2764, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: qnJXJsqt1M.exe PID: 2764, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: znytpstdcrwsisx.exe PID: 3192, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: znytpstdcrwsisx.exe PID: 3192, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSBuild.exe PID: 4156, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: MSBuild.exe PID: 4156, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.MSBuild.exe.35a3c74.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.qnJXJsqt1M.exe.17297f8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.17297f8.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.MSBuild.exe.45ceac4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.45d30ed.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.35917f0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.MSBuild.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.MSBuild.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.MSBuild.exe.5e00000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.45ceac4.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.176cb50.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.176cb50.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.MSBuild.exe.42430ed.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.MSBuild.exe.5610000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.176cb50.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.176cb50.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.MSBuild.exe.423eac4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.MSBuild.exe.3201358.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.176cb50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.176cb50.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.MSBuild.exe.45c9c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.MSBuild.exe.45c9c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.qnJXJsqt1M.exe.1739f48.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.1739f48.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.MSBuild.exe.423eac4.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.MSBuild.exe.5e04629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.1739f48.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.1739f48.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.MSBuild.exe.5e00000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.1739f48.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.1739f48.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.qnJXJsqt1M.exe.17297f8.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.1739f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.1739f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.qnJXJsqt1M.exe.16ec7e0.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.16ec7e0.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.qnJXJsqt1M.exe.17293d8.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.17293d8.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.qnJXJsqt1M.exe.17293d8.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.qnJXJsqt1M.exe.17293d8.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

AutoIt script contains suspicious strings

Source: qnJXJsqt1M.exe	AutoIt Script: T0JYH = $I31330D6 ("vmtoolsd.exera2khkzkmkkprl7yom4g
Source: qnJXJsqt1M.exe	AutoIt Script: EN $S32383033JPB = DLLCALLADDRESS ($C31333233O8ISGY ,
Source: znytpstdcrwsisx.exe.0.dr	AutoIt Script: T0JYH = $I31330D6 ("vmtoolsd.exera2khkzkmkkprl7yom4g
Source: znytpstdcrwsisx.exe.0.dr	AutoIt Script: EN $S32383033JPB = DLLCALLADDRESS ($C31333233O8ISGY ,

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00AD3D19
Source: qnJXJsqt1M.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: qnJXJsqt1M.exe, 00000000.00000000.229366699.0000000000B7E000.00000002.00020000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: znytpstdcrwsisx.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: znytpstdcrwsisx.exe, 0000000B.00000000.259387793.0000000000DFE000.00000002.00020000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: qnJXJsqt1M.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: qnJXJsqt1M.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_054214FA NtQuerySystemInformation,		1_2_054214FA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_054214BF NtQuerySystemInformation,		1_2_054214BF

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B16685: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00B16685

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

0_2_00B0ACC5

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B179D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00B179D3

Detected potential crypto function

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00ADE3B0	0_2_00ADE3B0
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AFB043	0_2_00AFB043
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AEB11F	0_2_00AEB11F
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AE3200	0_2_00AE3200
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AE3B70	0_2_00AE3B70
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B0410F	0_2_00B0410F
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AF02A4	0_2_00AF02A4
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B0038E	0_2_00B0038E
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AF06D9	0_2_00AF06D9
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B0467F	0_2_00B0467F
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B3AACE	0_2_00B3AACE
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B04BEF	0_2_00B04BEF
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AFCCC1	0_2_00AFCCC1
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AD6F07	0_2_00AD6F07
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00ADAF50	0_2_00ADAF50
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B331BC	0_2_00B331BC
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AFD1B9	0_2_00AFD1B9
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AF123A	0_2_00AF123A
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B0724D	0_2_00B0724D
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AD93F0	0_2_00AD93F0
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B113CA	0_2_00B113CA
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AEF563	0_2_00AEF563
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AD96C0	0_2_00AD96C0
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B1B6CC	0_2_00B1B6CC
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AD77B0	0_2_00AD77B0
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B3F7FF	0_2_00B3F7FF
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B079C9	0_2_00B079C9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_05303850	1_2_05303850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_053023A0	1_2_053023A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_05302FA8	1_2_05302FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_05309278	1_2_05309278
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_05308678	1_2_05308678
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_0530AED8	1_2_0530AED8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_0530306F	1_2_0530306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_0530933F	1_2_0530933F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_05309B20	1_2_05309B20
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_053032BB	1_2_053032BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 5_2_02C60708	5_2_02C60708
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D63200	11_2_00D63200
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D5E3B0	11_2_00D5E3B0
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D7B043	11_2_00D7B043
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D8410F	11_2_00D8410F
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D84BEF	11_2_00D84BEF
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D59B60	11_2_00D59B60
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D6F563	11_2_00D6F563
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D79ED0	11_2_00D79ED0
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D577B0	11_2_00D577B0
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D56F07	11_2_00D56F07
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_05743850	12_2_05743850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_057423A0	12_2_057423A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_05742FA8	12_2_05742FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 12_2_0574306F	12_2_0574306F

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: String function: 00AEEC2F appears 63 times
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: String function: 00AF6AC0 appears 32 times

PE file contains strange resources

Source: qnJXJsqt1M.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: qnJXJsqt1M.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: qnJXJsqt1M.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: qnJXJsqt1M.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Uses 32bit PE files

Source: qnJXJsqt1M.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Yara signature match

Source: 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000003.271444050.00000000044E6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.271444050.00000000044E6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000003.269052958.000000000454C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.269052958.000000000454C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.237700588.00000000017A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.237700588.00000000017A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.232372398.000000000149D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.232372398.000000000149D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.286334104.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000C.00000002.286334104.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000003.271541337.00000000044B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.271541337.00000000044B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.507400342.0000000005E00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.507400342.0000000005E00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000003.268804355.00000000044B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.268804355.00000000044B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.232471395.000000000173A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.232471395.000000000173A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.237121174.00000000017D3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.237121174.00000000017D3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000003.271021731.0000000001204000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.271021731.0000000001204000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.236754982.0000000004671000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.236754982.0000000004671000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.237756346.000000000149D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.237756346.000000000149D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000003.268781078.00000000011D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.268781078.00000000011D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.239247131.000000000176C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.239247131.000000000176C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.236584811.00000000016C4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.236584811.00000000016C4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000003.268745620.00000000011D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.268745620.00000000011D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000003.274048307.00000000011D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.274048307.00000000011D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000003.269076218.000000000126A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.269076218.000000000126A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000003.268921996.0000000004481000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.268921996.0000000004481000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.234856164.0000000001739000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.234856164.0000000001739000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000003.272132273.00000000011A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.272132273.00000000011A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000003.271693708.0000000004481000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000003.271693708.0000000004481000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.232598333.000000000149D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.232598333.000000000149D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.507018944.0000000005610000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.507018944.0000000005610000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000003.235161139.00000000016F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.235161139.00000000016F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.233676128.000000000176D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000003.233676128.000000000176D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.498286656.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.498286656.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: MSBuild.exe PID: 5796, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: MSBuild.exe PID: 5796, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: qnJXJsqt1M.exe PID: 2764, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: qnJXJsqt1M.exe PID: 2764, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: znytpstdcrwsisx.exe PID: 3192, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: znytpstdcrwsisx.exe PID: 3192, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: MSBuild.exe PID: 4156, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: MSBuild.exe PID: 4156, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znytpstdcrwsisx.fr.url, type: DROPPED	Matched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: dropped/znytpstdcrwsisx.fr.url, type: DROPPED	Matched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.MSBuild.exe.35a3c74.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.MSBuild.exe.35a3c74.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.3.znytpstdcrwsisx.exe.11d0fe8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.qnJXJsqt1M.exe.17297f8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.qnJXJsqt1M.exe.17297f8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.qnJXJsqt1M.exe.17297f8.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.MSBuild.exe.45ceac4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.MSBuild.exe.45ceac4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.MSBuild.exe.45d30ed.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.MSBuild.exe.45d30ed.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.MSBuild.exe.35917f0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.MSBuild.exe.35917f0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.MSBuild.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.MSBuild.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.MSBuild.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.MSBuild.exe.5e00000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.MSBuild.exe.5e00000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.MSBuild.exe.45ceac4.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.MSBuild.exe.45ceac4.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.qnJXJsqt1M.exe.176cb50.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.qnJXJsqt1M.exe.176cb50.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.qnJXJsqt1M.exe.176cb50.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.MSBuild.exe.42430ed.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.MSBuild.exe.42430ed.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.MSBuild.exe.5610000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.MSBuild.exe.5610000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.qnJXJsqt1M.exe.176cb50.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.qnJXJsqt1M.exe.176cb50.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.qnJXJsqt1M.exe.176cb50.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.MSBuild.exe.423eac4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.MSBuild.exe.423eac4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.MSBuild.exe.3201358.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.MSBuild.exe.3201358.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.qnJXJsqt1M.exe.176cb50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.qnJXJsqt1M.exe.176cb50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.qnJXJsqt1M.exe.176cb50.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.MSBuild.exe.45c9c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.MSBuild.exe.45c9c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.MSBuild.exe.45c9c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.qnJXJsqt1M.exe.1739f48.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.qnJXJsqt1M.exe.1739f48.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.qnJXJsqt1M.exe.1739f48.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.MSBuild.exe.423eac4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.MSBuild.exe.423eac4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.MSBuild.exe.5e04629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.MSBuild.exe.5e04629.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.qnJXJsqt1M.exe.1739f48.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.qnJXJsqt1M.exe.1739f48.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.qnJXJsqt1M.exe.1739f48.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.MSBuild.exe.5e00000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.MSBuild.exe.5e00000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.qnJXJsqt1M.exe.1739f48.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.qnJXJsqt1M.exe.1739f48.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.qnJXJsqt1M.exe.1739f48.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.qnJXJsqt1M.exe.17297f8.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.qnJXJsqt1M.exe.1739f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.qnJXJsqt1M.exe.1739f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.qnJXJsqt1M.exe.1739f48.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.qnJXJsqt1M.exe.16ec7e0.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.qnJXJsqt1M.exe.16ec7e0.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.qnJXJsqt1M.exe.17293d8.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.qnJXJsqt1M.exe.17293d8.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.qnJXJsqt1M.exe.17293d8.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.qnJXJsqt1M.exe.17293d8.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: MSBuild.exe, 00000005.00000002.246059966.00000000030E1000.00000004.00000001.sdmp

Binary or memory string: *.sln

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/10@13/3

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B1CE7A GetLastError,FormatMessageW,

0_2_00B1CE7A

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B0AB84 AdjustTokenPrivileges,CloseHandle,	0_2_00B0AB84
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B0B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_00B0B134
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_054212BA AdjustTokenPrivileges,	1_2_054212BA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_05421283 AdjustTokenPrivileges,	1_2_05421283

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B1E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00B1E1FD

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B16532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,FindCloseChangeNotification,

0_2_00B16532

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B2C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,

0_2_00B2C18C

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00AD406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00AD406B

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

File created: C:\Users\user\AppData\Roaming\hdoydskbdx

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5484:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{2ad4e32f-c687-4329-b5e5-302ef0e0906d}
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

File created: C:\Users\user~1\AppData\Local\Temp\autB7CF.tmp

Jump to behavior

Source: qnJXJsqt1M.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: qnJXJsqt1M.exe	Virustotal: Detection: 67%
Source: qnJXJsqt1M.exe	Metadefender: Detection: 37%
Source: qnJXJsqt1M.exe	ReversingLabs: Detection: 79%

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

File read: C:\Users\user\Desktop\qnJXJsqt1M.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\qnJXJsqt1M.exe 'C:\Users\user\Desktop\qnJXJsqt1M.exe'
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC4DF.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe 'C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe'
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC4DF.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: qnJXJsqt1M.exe

Static file information: File size 1253376 > 1048576

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: qnJXJsqt1M.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: qnJXJsqt1M.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: qnJXJsqt1M.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: qnJXJsqt1M.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: qnJXJsqt1M.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: qnJXJsqt1M.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: qnJXJsqt1M.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: indows\MSBuild.pdbpdbild.pdbs source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\MSBuild.pdbl source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\exe\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
Source:	Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: MSBuild.exe, 00000001.00000002.507151725.00000000059F0000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.501509094.00000000013A6000.00000004.00000040.sdmp

Source: qnJXJsqt1M.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: qnJXJsqt1M.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: qnJXJsqt1M.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: qnJXJsqt1M.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: qnJXJsqt1M.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

.NET source code contains potential unpacker

Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00AEE01E LoadLibraryA,GetProcAddress,

0_2_00AEE01E

PE file contains an invalid checksum

Source: znytpstdcrwsisx.exe.0.dr	Static PE information: real checksum: 0x12035b should be: 0x140fd1
Source: qnJXJsqt1M.exe	Static PE information: real checksum: 0x12035b should be: 0x133735

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AF6B05 push ecx; ret	0_2_00AF6B18
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_01309E34 pushfd ; retf	1_2_01309E3D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_01309D5C push 780130CBh; retf	1_2_01309D61
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_013074B8 push ebp; ret	1_2_013074B9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_013074AC push ecx; ret	1_2_013074AD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_0130769F push es; ret	1_2_013076A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_013062D1 push ebx; retf	1_2_013062D2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_013062D4 push ebx; retf	1_2_013062D6
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D76B05 push ecx; ret	11_2_00D76B18

Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 1.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 12.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

File created: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC4DF.tmp'

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znytpstdcrwsisx.fr.url

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znytpstdcrwsisx.fr.url

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AEEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00AEEB42
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B38111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00B38111

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

0_2_00AF123A

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: znytpstdcrwsisx.exe, 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp	Binary or memory string: SBIECTRL.EXE
Source: qnJXJsqt1M.exe, 00000000.00000003.237907069.0000000001686000.00000004.00000001.sdmp	Binary or memory string: SBIECTRL.EXEI0

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Window / User API: threadDelayed 407			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Window / User API: foregroundWindowGot 921			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 2116	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 972	Thread sleep time: -160000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 5016	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 4364	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B163F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,	0_2_00B163F9
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B16CA9 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B16CA9
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B21B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B21B2F
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B160DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,	0_2_00B160DD
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B1EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B1EB60
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B1F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00B1F5FA
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B1F56F FindFirstFileW,FindClose,	0_2_00B1F56F
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D96CA9 GetFileAttributesW,FindFirstFileW,FindClose,	11_2_00D96CA9

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00AEDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AEDDC0

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: MSBuild.exe, 00000001.00000002.507773462.00000000066B0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: MSBuild.exe, 00000001.00000002.500546420.0000000001188000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6>
Source: znytpstdcrwsisx.exe, 0000000B.00000003.263480131.0000000001004000.00000004.00000001.sdmp	Binary or memory string: vmtoolsd.exera2khkzkmkkprl7yom4gi135e3nfurFkrgm
Source: qnJXJsqt1M.exe, 00000000.00000003.237907069.0000000001686000.00000004.00000001.sdmp	Binary or memory string: vmtoolsd.exe
Source: znytpstdcrwsisx.exe, 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp	Binary or memory string: vmtoolsd.exeI0
Source: MSBuild.exe, 00000001.00000002.507773462.00000000066B0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: MSBuild.exe, 00000001.00000002.507773462.00000000066B0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: qnJXJsqt1M.exe, 00000000.00000003.238668684.0000000001563000.00000004.00000001.sdmp	Binary or memory string: vmtoolsd.exera2khkzkmkkprl7yom4gi135e3nfur
Source: MSBuild.exe, 00000001.00000002.507773462.00000000066B0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B26AAF BlockInput,

0_2_00B26AAF

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00AD3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00AD3D19

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B03920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,

0_2_00B03920

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00AEE01E LoadLibraryA,GetProcAddress,

0_2_00AEE01E

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D405B5 mov edx, dword ptr fs:[00000030h]	11_2_00D405B5
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D40175 mov edx, dword ptr fs:[00000030h]	11_2_00D40175
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D40175 mov edx, dword ptr fs:[00000030h]	11_2_00D40175
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D40405 mov edx, dword ptr fs:[00000030h]	11_2_00D40405
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D40365 mov edx, dword ptr fs:[00000030h]	11_2_00D40365

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

0_2_00B0A66C

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AF8189 SetUnhandledExceptionFilter,	0_2_00AF8189
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00AF81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00AF81AC
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Code function: 11_2_00D781AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00D781AC

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: D7E008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 420000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 422000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe base: 10C8008	Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B0B106 LogonUserW,

0_2_00B0B106

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00AD3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00AD3D19

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

0_2_00AEEB42

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B174BB mouse_event,

0_2_00B174BB

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC4DF.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Jump to behavior

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

0_2_00B0A66C

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B171FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00B171FA

Source: MSBuild.exe, 00000001.00000002.501791419.00000000019A0000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: MSBuild.exe, 00000001.00000002.506079771.0000000003478000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: qnJXJsqt1M.exe, MSBuild.exe, 00000001.00000002.501791419.00000000019A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: MSBuild.exe, 00000001.00000002.501791419.00000000019A0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: MSBuild.exe, 00000001.00000002.506079771.0000000003478000.00000004.00000001.sdmp	Binary or memory string: Program Manager@u
Source: qnJXJsqt1M.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Source: MSBuild.exe, 00000001.00000002.501791419.00000000019A0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: MSBuild.exe, 00000001.00000002.500546420.0000000001188000.00000004.00000020.sdmp	Binary or memory string: Program Managersoft.NET\Framework\v2.0.50727\MSBuild.exeD;

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00AF65C4 cpuid

0_2_00AF65C4

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

0_2_00B2091D

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00B4B340 GetUserNameW,

0_2_00B4B340

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe

Code function: 0_2_00AEDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00AEDDC0

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271444050.00000000044E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.269052958.000000000454C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.237700588.00000000017A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.232372398.000000000149D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.286334104.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271541337.00000000044B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.507400342.0000000005E00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268804355.00000000044B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.232471395.000000000173A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.237121174.00000000017D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271021731.0000000001204000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.236754982.0000000004671000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.237756346.000000000149D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268781078.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.287492907.0000000003581000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239247131.000000000176C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.236584811.00000000016C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268745620.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.274048307.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.269076218.000000000126A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268921996.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.234856164.0000000001739000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.272132273.00000000011A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271693708.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.232598333.000000000149D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.235161139.00000000016F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.233676128.000000000176D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.498286656.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5796, type: MEMORY
Source: Yara match	File source: Process Memory Space: qnJXJsqt1M.exe PID: 2764, type: MEMORY
Source: Yara match	File source: Process Memory Space: znytpstdcrwsisx.exe PID: 3192, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4156, type: MEMORY
Source: Yara match	File source: 11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.znytpstdcrwsisx.exe.11d0fe8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.17297f8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45ceac4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45d30ed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.5e00000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45ceac4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.176cb50.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.42430ed.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.176cb50.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.423eac4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.176cb50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45c9c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.423eac4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.5e04629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.5e00000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.16ec7e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.17293d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.17293d8.0.unpack, type: UNPACKEDPE

OS version to string mapping found (often used in BOTs)

Source: qnJXJsqt1M.exe	Binary or memory string: WIN_81
Source: qnJXJsqt1M.exe	Binary or memory string: WIN_XP
Source: qnJXJsqt1M.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: znytpstdcrwsisx.exe, 0000000B.00000003.263480131.0000000001004000.00000004.00000001.sdmp	Binary or memory string: t0lj1bz7kyfvrnjhanglri8hhtcuWIN_7rs4zlupb30fv5a
Source: qnJXJsqt1M.exe	Binary or memory string: WIN_XPe
Source: qnJXJsqt1M.exe	Binary or memory string: WIN_VISTA
Source: qnJXJsqt1M.exe	Binary or memory string: WIN_7
Source: qnJXJsqt1M.exe	Binary or memory string: WIN_8
Source: qnJXJsqt1M.exe, 00000000.00000002.241202485.0000000001603000.00000004.00000001.sdmp	Binary or memory string: t0lj1bz7kyfvrnjhanglri8hhtcuWIN_7rs4zlupb30fv5ap

Remote Access Functionality:

Detected Nanocore Rat

Source: qnJXJsqt1M.exe, 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: znytpstdcrwsisx.exe, 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 00000000.00000003.234051628.00000000016D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271278827.0000000004519000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271444050.00000000044E6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.287551362.0000000004581000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.269052958.000000000454C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.237700588.00000000017A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.232372398.000000000149D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.506144635.0000000004237000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.286334104.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271541337.00000000044B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.507400342.0000000005E00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268804355.00000000044B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.232471395.000000000173A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.237121174.00000000017D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271021731.0000000001204000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.236754982.0000000004671000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.237756346.000000000149D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268781078.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.287492907.0000000003581000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.272077281.000000000118B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.239247131.000000000176C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.236584811.00000000016C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268745620.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.274048307.00000000011D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.269076218.000000000126A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.268921996.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.234856164.0000000001739000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.272132273.00000000011A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.271693708.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.232598333.000000000149D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.235161139.00000000016F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.233676128.000000000176D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.498286656.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5796, type: MEMORY
Source: Yara match	File source: Process Memory Space: qnJXJsqt1M.exe PID: 2764, type: MEMORY
Source: Yara match	File source: Process Memory Space: znytpstdcrwsisx.exe PID: 3192, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4156, type: MEMORY
Source: Yara match	File source: 11.3.znytpstdcrwsisx.exe.11d0fe8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.znytpstdcrwsisx.exe.11d0fe8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.17297f8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45ceac4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45d30ed.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.5e00000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45ceac4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.176cb50.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.42430ed.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.176cb50.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.423eac4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.176cb50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.MSBuild.exe.45c9c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.423eac4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.5e04629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.5e00000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.1739f48.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.16ec7e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.17293d8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.qnJXJsqt1M.exe.17293d8.0.unpack, type: UNPACKEDPE

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B28C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00B28C4F
Source: C:\Users\user\Desktop\qnJXJsqt1M.exe	Code function: 0_2_00B2923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00B2923B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_0542275A bind,	1_2_0542275A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_05422708 bind,	1_2_05422708

ID:	383820
Product:	CloudBasic
Start time:	10:31:20
Start date:	08.04.2021
Sample:	qnJXJsqt1M.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	e98ce8a425d942e7337ecbd309707e25
SHA1:	39e794cff61991cbcc073db38bfbf1e496953106
SHA256:	34d2073606f34324e1ba7146defa9f69e387059b64d1bfb28a5c9f37b0fc9436
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\MSBuild.exe.log	ASCII text, with CRLF line terminators	65CE98936A67552310EFE2F0FF5BDF88	8133653A6B9A169C7496ADE315CED322CFC3613A	682F7C55B1B6E189D17755F74959CD08762F91373203B3B982ACFFCADE2E871A
C:\Users\user\AppData\Local\Temp\autB7CF.tmp	data	D63A88D1A1B8198E665C1094E96488BC	427EA9EB92C1C20B647CECD78C6085B509BCC326	68B951C18FA6D7FDD30A5EB01609BAB36677D1414A6EC2D5A25C327A7D7CB9B0
C:\Users\user\AppData\Local\Temp\cbmfpeiu	data	D63A88D1A1B8198E665C1094E96488BC	427EA9EB92C1C20B647CECD78C6085B509BCC326	68B951C18FA6D7FDD30A5EB01609BAB36677D1414A6EC2D5A25C327A7D7CB9B0
C:\Users\user\AppData\Local\Temp\tmpC4DF.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	AE766004C0D8792953BAFFFE8F6A2E3B	14B12F27543A401E2FE0AF8052E116CAB0032426	1ABDD9B6A6B84E4BA1AF1282DC84CE276C59BA253F4C4AF05FEA498A4FD99540
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat	Non-ISO extended-ASCII text, with no line terminators	2CCE6DD7EC46400F96706148A26C15E9	776024E284F2F59F8E908E2D5E6CDFBC64BD0533	513BD4A52AF323A89B4DC79B6CF52BA9FF9EABCB8809164B1E6245311A97FC03
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat	ASCII text, with no line terminators	A35128E4E28B27328F70E4E8FF482443	B89066B2F8DB34299AABFD7ABEE402D5444DD079	88AEA00733DC4B570A29D56A423CC5BF163E5ACE7AF349972EB0BBA8D9AD06E1
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znytpstdcrwsisx.fr.url	MS Windows 95 Internet shortcut text (URL=<file:///C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe>), ASCII text, with CRLF line terminators	4123D4FB8377EF3CC0C17FE846A33369	FFD3BFA064E3245D1D49D0CBCFBC2DA102A69021	486EDCABE152F5B618A2867452A35A42A87D5A831E520F4110CFF057B7356814
C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	PE32 executable (GUI) Intel 80386, for MS Windows	206B9BA9B804BD72DB71AEBAB5967567	D78387B9A72560CE7E3E0D7B5C35123E17382202	32B7D46EC03F2580FED078C680CEEAD30BA9B2541C7E9EE1BB5EAE35F2DBD6D0
\Device\ConDrv	ASCII text, with CRLF line terminators	67DDD8252A246E7B14649B0063E351C0	AAE1C6839D1CC4A626D0FB2D4773823AD209FA17	24C8283BA3F7FCA2E4CEF6F141263DD1E8A36E5A5CD96A97BFE83525D7663116

Analysis Report qnJXJsqt1M.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs