Play interactive tour

Edit tour

Windows Analysis Report SKGCTMGCarta20210701516374466893343426doc.exe

Overview

General Information

Sample Name:	SKGCTMGCarta20210701516374466893343426doc.exe
Analysis ID:	451593
MD5:	0eb0833449cec388f8157458fc600691
SHA1:	63c969feee64e6fe65d289fbbdf6e2c971f8878b
SHA256:	945ab6b146dc530e61824b8ccdd396c6c5d84c9537736db859771b1ee2dd93fe
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Sigma detected: NanoCore

Yara detected Nanocore RAT

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

SKGCTMGCarta20210701516374466893343426doc.exe (PID: 6916 cmdline: 'C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe' MD5: 0EB0833449CEC388F8157458FC600691)

schtasks.exe (PID: 6772 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sNlYazJXiEQfkP' /XML 'C:\Users\user\AppData\Local\Temp\tmp1ACF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

MSBuild.exe (PID: 6436 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "01f9d977-6605-495e-941a-753d3cd6", "Group": "4Maticross.", "Domain1": "178.170.138.163", "Domain2": "", "Port": 5626, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.921988297.0000000006380000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
00000009.00000002.921988297.0000000006380000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
00000009.00000002.920719011.0000000005340000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
00000009.00000002.920719011.0000000005340000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
00000009.00000002.922004647.0000000006390000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
00000009.00000002.922004647.0000000006390000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
00000009.00000002.920503231.0000000005270000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000009.00000002.920503231.0000000005270000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000009.00000002.922224537.00000000064B0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
00000009.00000002.922224537.00000000064B0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb4aff:$a: NanoCore 0xb4b24:$a: NanoCore 0xb4b7d:$a: NanoCore 0xc4d1c:$a: NanoCore 0xc4d42:$a: NanoCore 0xc4d9e:$a: NanoCore 0xd1bf5:$a: NanoCore 0xd1c4e:$a: NanoCore 0xd1c81:$a: NanoCore 0xd1ead:$a: NanoCore 0xd1f29:$a: NanoCore 0xd2542:$a: NanoCore 0xd268b:$a: NanoCore 0xd2b5f:$a: NanoCore 0xd2e46:$a: NanoCore 0xd2e5d:$a: NanoCore 0xdbd01:$a: NanoCore 0xdbd7d:$a: NanoCore 0xde660:$a: NanoCore 0xe3c29:$a: NanoCore 0xe3ca3:$a: NanoCore
00000009.00000002.920917334.00000000053A0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
00000009.00000002.920917334.00000000053A0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
00000009.00000002.918142857.0000000003BC2000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5e07:$a: NanoCore 0x5ef1:$a: NanoCore 0x6d68:$a: NanoCore 0xff12:$a: NanoCore 0xff73:$a: NanoCore 0xffb6:$a: NanoCore 0xfff6:$a: NanoCore 0x10232:$a: NanoCore 0x102d2:$a: NanoCore 0x10aaa:$a: NanoCore 0x1109d:$a: NanoCore 0x111ee:$a: NanoCore 0x12048:$a: NanoCore 0x122af:$a: NanoCore 0x122c4:$a: NanoCore 0x122e3:$a: NanoCore 0x1b1e6:$a: NanoCore 0x1b20f:$a: NanoCore 0x587d:$b: ClientPlugin 0x590b:$b: ClientPlugin 0x5918:$b: ClientPlugin
00000009.00000002.920788480.0000000005350000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
00000009.00000002.920788480.0000000005350000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
00000009.00000002.920890999.0000000005380000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
00000009.00000002.920890999.0000000005380000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
00000009.00000002.916279377.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000009.00000002.916279377.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000009.00000002.916279377.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000009.00000002.917459276.0000000002A0F000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1bb1ba:$a: NanoCore 0x1bb1df:$a: NanoCore 0x1bb238:$a: NanoCore 0x1cb42f:$a: NanoCore 0x1cb455:$a: NanoCore 0x1cb4b1:$a: NanoCore 0x1d835b:$a: NanoCore 0x1d83b4:$a: NanoCore 0x1d83e7:$a: NanoCore 0x1d8613:$a: NanoCore 0x1d868f:$a: NanoCore 0x1d8ca8:$a: NanoCore 0x1d8df1:$a: NanoCore 0x1d92c5:$a: NanoCore 0x1d95ac:$a: NanoCore 0x1d95c3:$a: NanoCore 0x1e24b7:$a: NanoCore 0x1e2533:$a: NanoCore 0x1e4e16:$a: NanoCore 0x1ea431:$a: NanoCore 0x1ea4ab:$a: NanoCore
00000009.00000002.922204860.00000000064A0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
00000009.00000002.922204860.00000000064A0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
00000009.00000002.921932681.0000000006360000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
00000009.00000002.921932681.0000000006360000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
00000009.00000002.917875317.0000000003891000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000009.00000002.918281922.0000000003CD3000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000009.00000002.918281922.0000000003CD3000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1259:$a: NanoCore 0x12b2:$a: NanoCore 0x12ef:$a: NanoCore 0x1368:$a: NanoCore 0x14a13:$a: NanoCore 0x14a28:$a: NanoCore 0x14a5d:$a: NanoCore 0x22672:$a: NanoCore 0x22697:$a: NanoCore 0x226f0:$a: NanoCore 0x3288d:$a: NanoCore 0x328b3:$a: NanoCore 0x3290f:$a: NanoCore 0x3f764:$a: NanoCore 0x3f7bd:$a: NanoCore 0x3f7f0:$a: NanoCore 0x3fa1c:$a: NanoCore 0x3fa98:$a: NanoCore 0x400b1:$a: NanoCore 0x401fa:$a: NanoCore 0x406ce:$a: NanoCore
00000009.00000002.920928559.00000000053B0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
00000009.00000002.920928559.00000000053B0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
00000009.00000002.920939322.00000000053C0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000009.00000002.920939322.00000000053C0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000009.00000002.920939322.00000000053C0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000009.00000002.921968807.0000000006370000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
00000009.00000002.921968807.0000000006370000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
00000009.00000002.918165301.0000000003BE8000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x55747:$a: NanoCore 0x55831:$a: NanoCore 0x566a8:$a: NanoCore 0x5f852:$a: NanoCore 0x5f8b3:$a: NanoCore 0x5f8f6:$a: NanoCore 0x5f936:$a: NanoCore 0x5fb72:$a: NanoCore 0x5fc12:$a: NanoCore 0x603ea:$a: NanoCore 0x609dd:$a: NanoCore 0x60b2e:$a: NanoCore 0x61988:$a: NanoCore 0x61bef:$a: NanoCore 0x61c04:$a: NanoCore 0x61c23:$a: NanoCore 0x6ab26:$a: NanoCore 0x6ab4f:$a: NanoCore 0x768c8:$a: NanoCore 0x768f1:$a: NanoCore 0x9b7b4:$a: NanoCore
Process Memory Space: MSBuild.exe PID: 6436	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13e3:$x1: NanoCore.ClientPluginHost 0x5837f:$x1: NanoCore.ClientPluginHost 0x62c99:$x1: NanoCore.ClientPluginHost 0x75814:$x1: NanoCore.ClientPluginHost 0x78863:$x1: NanoCore.ClientPluginHost 0x7dc17:$x1: NanoCore.ClientPluginHost 0x8106c:$x1: NanoCore.ClientPluginHost 0x83c57:$x1: NanoCore.ClientPluginHost 0x8adfb:$x1: NanoCore.ClientPluginHost 0x8fc56:$x1: NanoCore.ClientPluginHost 0x9c430:$x1: NanoCore.ClientPluginHost 0xb7dd0:$x1: NanoCore.ClientPluginHost 0xc678b:$x1: NanoCore.ClientPluginHost 0xe76dd:$x1: NanoCore.ClientPluginHost 0x101354:$x1: NanoCore.ClientPluginHost 0x1188a4:$x1: NanoCore.ClientPluginHost 0x11e6b9:$x1: NanoCore.ClientPluginHost 0x12fb63:$x1: NanoCore.ClientPluginHost 0x19902c:$x1: NanoCore.ClientPluginHost 0x1a3946:$x1: NanoCore.ClientPluginHost 0x1b64c2:$x1: NanoCore.ClientPluginHost
Process Memory Space: MSBuild.exe PID: 6436	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: MSBuild.exe PID: 6436	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10a6:$a: NanoCore 0x11c6:$a: NanoCore 0x13e3:$a: NanoCore 0x58342:$a: NanoCore 0x5837f:$a: NanoCore 0x58408:$a: NanoCore 0x5d7a0:$a: NanoCore 0x5d7c3:$a: NanoCore 0x5d818:$a: NanoCore 0x62c5b:$a: NanoCore 0x62c99:$a: NanoCore 0x62d25:$a: NanoCore 0x6d6c2:$a: NanoCore 0x6d6e6:$a: NanoCore 0x6d73e:$a: NanoCore 0x7535a:$a: NanoCore 0x753fb:$a: NanoCore 0x7545e:$a: NanoCore 0x75814:$a: NanoCore 0x758f0:$a: NanoCore 0x7635d:$a: NanoCore
Click to see the 37 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.MSBuild.exe.5270000.20.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
9.2.MSBuild.exe.5270000.20.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
9.2.MSBuild.exe.53b0000.25.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
9.2.MSBuild.exe.53b0000.25.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
9.2.MSBuild.exe.3c5b3e6.14.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
9.2.MSBuild.exe.3c5b3e6.14.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
9.2.MSBuild.exe.2bd18b0.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
9.2.MSBuild.exe.2bd18b0.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
9.2.MSBuild.exe.6830000.38.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
9.2.MSBuild.exe.6830000.38.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
9.2.MSBuild.exe.6390000.32.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
9.2.MSBuild.exe.6390000.32.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
9.2.MSBuild.exe.6380000.31.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
9.2.MSBuild.exe.6380000.31.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
9.2.MSBuild.exe.6390000.32.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
9.2.MSBuild.exe.6390000.32.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
9.2.MSBuild.exe.3bd7676.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
9.2.MSBuild.exe.3bd7676.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
9.2.MSBuild.exe.38f8a10.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
9.2.MSBuild.exe.38f8a10.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
9.2.MSBuild.exe.38f8a10.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.MSBuild.exe.2bc5624.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
9.2.MSBuild.exe.2bc5624.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
9.2.MSBuild.exe.53c0000.27.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
9.2.MSBuild.exe.53c0000.27.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
9.2.MSBuild.exe.53c0000.27.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.MSBuild.exe.53b0000.25.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
9.2.MSBuild.exe.53b0000.25.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
9.2.MSBuild.exe.64a0000.34.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
9.2.MSBuild.exe.64a0000.34.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
9.2.MSBuild.exe.64b0000.37.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
9.2.MSBuild.exe.64b0000.37.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
9.2.MSBuild.exe.3c44187.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0xe9c8:$x1: NanoCore.ClientPluginHost 0x1a76a:$x1: NanoCore.ClientPluginHost 0x3f66e:$x1: NanoCore.ClientPluginHost 0x4eaae:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost 0xe9e2:$x2: IClientNetworkHost 0x1a784:$x2: IClientNetworkHost 0x3f688:$x2: IClientNetworkHost 0x4eaeb:$x2: IClientNetworkHost
9.2.MSBuild.exe.3c44187.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0xe9c8:$x2: NanoCore.ClientPluginHost 0x1a76a:$x2: NanoCore.ClientPluginHost 0x3f66e:$x2: NanoCore.ClientPluginHost 0x4eaae:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0xf9fd:$s4: PipeCreated 0x1c515:$s4: PipeCreated 0x429ab:$s4: PipeCreated 0x51f01:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost 0xe9b5:$s5: IClientLoggingHost 0x1a757:$s5: IClientLoggingHost 0x3f65b:$s5: IClientLoggingHost 0x4ead8:$s5: IClientLoggingHost
9.2.MSBuild.exe.3c44187.12.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x36cb:$a: NanoCore 0x372c:$a: NanoCore 0x376f:$a: NanoCore 0x37af:$a: NanoCore 0x39eb:$a: NanoCore 0x3a8b:$a: NanoCore 0x4263:$a: NanoCore 0x4856:$a: NanoCore 0x49a7:$a: NanoCore 0x5801:$a: NanoCore 0x5a68:$a: NanoCore 0x5a7d:$a: NanoCore 0x5a9c:$a: NanoCore 0xe99f:$a: NanoCore 0xe9c8:$a: NanoCore 0x1a741:$a: NanoCore 0x1a76a:$a: NanoCore 0x3f62d:$a: NanoCore 0x3f645:$a: NanoCore 0x3f66e:$a: NanoCore 0x4ea71:$a: NanoCore
9.2.MSBuild.exe.38f8a10.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
9.2.MSBuild.exe.38f8a10.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
9.2.MSBuild.exe.38f8a10.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.MSBuild.exe.3bce847.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
9.2.MSBuild.exe.3bce847.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
9.2.MSBuild.exe.53c4629.26.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
9.2.MSBuild.exe.53c4629.26.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
9.2.MSBuild.exe.53c4629.26.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.MSBuild.exe.53a0000.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
9.2.MSBuild.exe.53a0000.24.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
9.2.MSBuild.exe.53a0000.24.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
9.2.MSBuild.exe.53a0000.24.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3f0b:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost
9.2.MSBuild.exe.3c4cfb6.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x1193b:$x1: NanoCore.ClientPluginHost 0x3683f:$x1: NanoCore.ClientPluginHost 0x45c7f:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost 0x11955:$x2: IClientNetworkHost 0x36859:$x2: IClientNetworkHost 0x45cbc:$x2: IClientNetworkHost
9.2.MSBuild.exe.3c4cfb6.13.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x1193b:$x2: NanoCore.ClientPluginHost 0x3683f:$x2: NanoCore.ClientPluginHost 0x45c7f:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x136e6:$s4: PipeCreated 0x39b7c:$s4: PipeCreated 0x490d2:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost 0x11928:$s5: IClientLoggingHost 0x3682c:$s5: IClientLoggingHost 0x45ca9:$s5: IClientLoggingHost
9.2.MSBuild.exe.3c5b3e6.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x2840f:$x1: NanoCore.ClientPluginHost 0x3784f:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost 0x28429:$x2: IClientNetworkHost 0x3788c:$x2: IClientNetworkHost
9.2.MSBuild.exe.3c5b3e6.14.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x2840f:$x2: NanoCore.ClientPluginHost 0x3784f:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x2b74c:$s4: PipeCreated 0x3aca2:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost 0x283fc:$s5: IClientLoggingHost 0x37879:$s5: IClientLoggingHost
9.2.MSBuild.exe.5350000.22.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
9.2.MSBuild.exe.5350000.22.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
9.2.MSBuild.exe.6370000.30.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
9.2.MSBuild.exe.6370000.30.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
9.2.MSBuild.exe.64b4c9f.36.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
9.2.MSBuild.exe.64b4c9f.36.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
9.2.MSBuild.exe.53c0000.27.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
9.2.MSBuild.exe.53c0000.27.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
9.2.MSBuild.exe.53c0000.27.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.MSBuild.exe.3c4cfb6.13.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0xcd3b:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost 0xcd55:$x2: IClientNetworkHost
9.2.MSBuild.exe.3c4cfb6.13.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0xcd3b:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost 0xcd28:$s5: IClientLoggingHost
9.2.MSBuild.exe.38fd039.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
9.2.MSBuild.exe.38fd039.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
9.2.MSBuild.exe.38fd039.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.MSBuild.exe.5340000.21.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
9.2.MSBuild.exe.5340000.21.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
9.2.MSBuild.exe.64b0000.37.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
9.2.MSBuild.exe.64b0000.37.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
9.2.MSBuild.exe.3c44187.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
9.2.MSBuild.exe.3c44187.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
9.2.MSBuild.exe.6360000.29.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
9.2.MSBuild.exe.6360000.29.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
9.2.MSBuild.exe.6380000.31.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
9.2.MSBuild.exe.6380000.31.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
9.2.MSBuild.exe.3a50f69.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
9.2.MSBuild.exe.3a50f69.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
9.2.MSBuild.exe.3cd82b0.15.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
9.2.MSBuild.exe.3cd82b0.15.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
9.2.MSBuild.exe.3cd82b0.15.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.MSBuild.exe.2bc5624.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14e31:$x1: NanoCore.ClientPluginHost 0x21fef:$x1: NanoCore.ClientPluginHost 0x2be93:$x1: NanoCore.ClientPluginHost 0x33e0d:$x1: NanoCore.ClientPluginHost 0x39e34:$x1: NanoCore.ClientPluginHost 0x438f3:$x1: NanoCore.ClientPluginHost 0x4dd73:$x1: NanoCore.ClientPluginHost 0x58da9:$x1: NanoCore.ClientPluginHost 0x64ba3:$x1: NanoCore.ClientPluginHost 0x7098e:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e5e:$x2: IClientNetworkHost 0x22028:$x2: IClientNetworkHost 0x2becc:$x2: IClientNetworkHost 0x33e46:$x2: IClientNetworkHost 0x43a50:$x2: IClientNetworkHost 0x4ddac:$x2: IClientNetworkHost 0x58dc3:$x2: IClientNetworkHost 0x64bbd:$x2: IClientNetworkHost 0x709cb:$x2: IClientNetworkHost
9.2.MSBuild.exe.2bc5624.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x14e31:$x2: NanoCore.ClientPluginHost 0x21fef:$x2: NanoCore.ClientPluginHost 0x2be93:$x2: NanoCore.ClientPluginHost 0x33e0d:$x2: NanoCore.ClientPluginHost 0x39e34:$x2: NanoCore.ClientPluginHost 0x438f3:$x2: NanoCore.ClientPluginHost 0x4dd73:$x2: NanoCore.ClientPluginHost 0x58da9:$x2: NanoCore.ClientPluginHost 0x64ba3:$x2: NanoCore.ClientPluginHost 0x7098e:$x2: NanoCore.ClientPluginHost 0x15e00:$s2: FileCommand 0x44849:$s3: PipeExists 0x6a6b:$s4: PipeCreated 0x1a802:$s4: PipeCreated 0x2210c:$s4: PipeCreated 0x2bf97:$s4: PipeCreated 0x33f28:$s4: PipeCreated 0x39f12:$s4: PipeCreated 0x43ae9:$s4: PipeCreated 0x4debe:$s4: PipeCreated
9.2.MSBuild.exe.2bc5624.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14e0b:$a: NanoCore 0x14e31:$a: NanoCore 0x14e8d:$a: NanoCore 0x21d37:$a: NanoCore 0x21d90:$a: NanoCore 0x21dc3:$a: NanoCore 0x21fef:$a: NanoCore 0x2206b:$a: NanoCore 0x22684:$a: NanoCore 0x227cd:$a: NanoCore 0x22ca1:$a: NanoCore 0x22f88:$a: NanoCore 0x22f9f:$a: NanoCore 0x2be93:$a: NanoCore 0x2bf0f:$a: NanoCore 0x2e7f2:$a: NanoCore 0x33e0d:$a: NanoCore 0x33e87:$a: NanoCore
9.2.MSBuild.exe.64be8a4.35.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
9.2.MSBuild.exe.64be8a4.35.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
9.2.MSBuild.exe.2be5f30.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0xb587:$x1: NanoCore.ClientPluginHost 0x13501:$x1: NanoCore.ClientPluginHost 0x19528:$x1: NanoCore.ClientPluginHost 0x22fe7:$x1: NanoCore.ClientPluginHost 0x2d467:$x1: NanoCore.ClientPluginHost 0x3849d:$x1: NanoCore.ClientPluginHost 0x44297:$x1: NanoCore.ClientPluginHost 0x50082:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb5c0:$x2: IClientNetworkHost 0x1353a:$x2: IClientNetworkHost 0x23144:$x2: IClientNetworkHost 0x2d4a0:$x2: IClientNetworkHost 0x384b7:$x2: IClientNetworkHost 0x442b1:$x2: IClientNetworkHost 0x500bf:$x2: IClientNetworkHost
9.2.MSBuild.exe.2be5f30.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0xb587:$x2: NanoCore.ClientPluginHost 0x13501:$x2: NanoCore.ClientPluginHost 0x19528:$x2: NanoCore.ClientPluginHost 0x22fe7:$x2: NanoCore.ClientPluginHost 0x2d467:$x2: NanoCore.ClientPluginHost 0x3849d:$x2: NanoCore.ClientPluginHost 0x44297:$x2: NanoCore.ClientPluginHost 0x50082:$x2: NanoCore.ClientPluginHost 0x23f3d:$s3: PipeExists 0x1800:$s4: PipeCreated 0xb68b:$s4: PipeCreated 0x1361c:$s4: PipeCreated 0x19606:$s4: PipeCreated 0x231dd:$s4: PipeCreated 0x2d5b2:$s4: PipeCreated 0x394d2:$s4: PipeCreated 0x46042:$s4: PipeCreated 0x534d5:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost 0xb5a1:$s5: IClientLoggingHost
9.2.MSBuild.exe.2be5f30.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb587:$a: NanoCore 0xb603:$a: NanoCore 0xdee6:$a: NanoCore 0x13501:$a: NanoCore 0x1357b:$a: NanoCore 0x19528:$a: NanoCore 0x19572:$a: NanoCore 0x1a1cc:$a: NanoCore 0x22fe7:$a: NanoCore 0x230d1:$a: NanoCore 0x23f48:$a: NanoCore
9.2.MSBuild.exe.3bd7676.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
9.2.MSBuild.exe.3bd7676.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
9.2.MSBuild.exe.6830000.38.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
9.2.MSBuild.exe.6830000.38.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
9.2.MSBuild.exe.5380000.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
9.2.MSBuild.exe.5380000.23.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
9.2.MSBuild.exe.5350000.22.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
9.2.MSBuild.exe.5350000.22.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
9.2.MSBuild.exe.3a5d19d.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
9.2.MSBuild.exe.3a5d19d.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
9.2.MSBuild.exe.64a0000.34.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
9.2.MSBuild.exe.64a0000.34.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
9.2.MSBuild.exe.3bce847.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0xe9c8:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost 0xe9e2:$x2: IClientNetworkHost
9.2.MSBuild.exe.3bce847.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0xe9c8:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0xf9fd:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost 0xe9b5:$s5: IClientLoggingHost
9.2.MSBuild.exe.3bce847.11.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x36cb:$a: NanoCore 0x372c:$a: NanoCore 0x376f:$a: NanoCore 0x37af:$a: NanoCore 0x39eb:$a: NanoCore 0x3a8b:$a: NanoCore 0x4263:$a: NanoCore 0x4856:$a: NanoCore 0x49a7:$a: NanoCore 0x5801:$a: NanoCore 0x5a68:$a: NanoCore 0x5a7d:$a: NanoCore 0x5a9c:$a: NanoCore 0xe99f:$a: NanoCore 0xe9c8:$a: NanoCore 0x3741:$b: ClientPlugin 0x39f4:$b: ClientPlugin 0x3a94:$b: ClientPlugin 0xe7bf:$b: ClientPlugin 0xe7d3:$b: ClientPlugin 0xe803:$b: ClientPlugin
9.2.MSBuild.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.2.MSBuild.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
9.2.MSBuild.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.MSBuild.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
9.2.MSBuild.exe.5340000.21.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
9.2.MSBuild.exe.5340000.21.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
9.2.MSBuild.exe.6370000.30.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
9.2.MSBuild.exe.6370000.30.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
9.2.MSBuild.exe.3cdc8d9.16.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x18dbe:$x1: NanoCore.ClientPluginHost 0x28fda:$x1: NanoCore.ClientPluginHost 0x36143:$x1: NanoCore.ClientPluginHost 0x3c691:$x1: NanoCore.ClientPluginHost 0x42662:$x1: NanoCore.ClientPluginHost 0x4c0ce:$x1: NanoCore.ClientPluginHost 0x564f9:$x1: NanoCore.ClientPluginHost 0x614d6:$x1: NanoCore.ClientPluginHost 0x6d278:$x1: NanoCore.ClientPluginHost 0x9217c:$x1: NanoCore.ClientPluginHost 0xa15bc:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x18de8:$x2: IClientNetworkHost 0x29007:$x2: IClientNetworkHost 0x3617c:$x2: IClientNetworkHost 0x3c6ca:$x2: IClientNetworkHost 0x4c22b:$x2: IClientNetworkHost 0x56532:$x2: IClientNetworkHost 0x614f0:$x2: IClientNetworkHost 0x6d292:$x2: IClientNetworkHost
9.2.MSBuild.exe.3cdc8d9.16.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.MSBuild.exe.3cdc8d9.16.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb13a:$a: NanoCore 0xb14f:$a: NanoCore 0xb184:$a: NanoCore 0x18d99:$a: NanoCore 0x18dbe:$a: NanoCore 0x18e17:$a: NanoCore 0x28fb4:$a: NanoCore 0x28fda:$a: NanoCore 0x29036:$a: NanoCore 0x35e8b:$a: NanoCore 0x35ee4:$a: NanoCore 0x35f17:$a: NanoCore 0x36143:$a: NanoCore 0x361bf:$a: NanoCore 0x367d8:$a: NanoCore 0x36921:$a: NanoCore 0x36df5:$a: NanoCore 0x370dc:$a: NanoCore 0x370f3:$a: NanoCore 0x3c691:$a: NanoCore 0x3c70b:$a: NanoCore
9.2.MSBuild.exe.3a717ca.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb537:$a: NanoCore 0xb5b3:$a: NanoCore 0xde96:$a: NanoCore 0x1345f:$a: NanoCore 0x134d9:$a: NanoCore 0x18076:$a: NanoCore 0x19432:$a: NanoCore 0x1947c:$a: NanoCore 0x1a0d6:$a: NanoCore 0x22ea0:$a: NanoCore 0x22f8a:$a: NanoCore
9.2.MSBuild.exe.2bd18b0.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d63:$x1: NanoCore.ClientPluginHost 0x1fc07:$x1: NanoCore.ClientPluginHost 0x27b81:$x1: NanoCore.ClientPluginHost 0x2dba8:$x1: NanoCore.ClientPluginHost 0x37667:$x1: NanoCore.ClientPluginHost 0x41ae7:$x1: NanoCore.ClientPluginHost 0x4cb1d:$x1: NanoCore.ClientPluginHost 0x58917:$x1: NanoCore.ClientPluginHost 0x64702:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d9c:$x2: IClientNetworkHost 0x1fc40:$x2: IClientNetworkHost 0x27bba:$x2: IClientNetworkHost 0x377c4:$x2: IClientNetworkHost 0x41b20:$x2: IClientNetworkHost 0x4cb37:$x2: IClientNetworkHost 0x58931:$x2: IClientNetworkHost 0x6473f:$x2: IClientNetworkHost
9.2.MSBuild.exe.2bd18b0.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x15d63:$x2: NanoCore.ClientPluginHost 0x1fc07:$x2: NanoCore.ClientPluginHost 0x27b81:$x2: NanoCore.ClientPluginHost 0x2dba8:$x2: NanoCore.ClientPluginHost 0x37667:$x2: NanoCore.ClientPluginHost 0x41ae7:$x2: NanoCore.ClientPluginHost 0x4cb1d:$x2: NanoCore.ClientPluginHost 0x58917:$x2: NanoCore.ClientPluginHost 0x64702:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0x385bd:$s3: PipeExists 0xe576:$s4: PipeCreated 0x15e80:$s4: PipeCreated 0x1fd0b:$s4: PipeCreated 0x27c9c:$s4: PipeCreated 0x2dc86:$s4: PipeCreated 0x3785d:$s4: PipeCreated 0x41c32:$s4: PipeCreated 0x4db52:$s4: PipeCreated 0x5a6c2:$s4: PipeCreated
9.2.MSBuild.exe.2bd18b0.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15aab:$a: NanoCore 0x15b04:$a: NanoCore 0x15b37:$a: NanoCore 0x15d63:$a: NanoCore 0x15ddf:$a: NanoCore 0x163f8:$a: NanoCore 0x16541:$a: NanoCore 0x16a15:$a: NanoCore 0x16cfc:$a: NanoCore 0x16d13:$a: NanoCore 0x1fc07:$a: NanoCore 0x1fc83:$a: NanoCore 0x22566:$a: NanoCore 0x27b81:$a: NanoCore 0x27bfb:$a: NanoCore 0x2dba8:$a: NanoCore 0x2dbf2:$a: NanoCore 0x2e84c:$a: NanoCore
9.2.MSBuild.exe.3cd82b0.15.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x1d3e7:$x1: NanoCore.ClientPluginHost 0x2d603:$x1: NanoCore.ClientPluginHost 0x3a76c:$x1: NanoCore.ClientPluginHost 0x40cba:$x1: NanoCore.ClientPluginHost 0x46c8b:$x1: NanoCore.ClientPluginHost 0x506f7:$x1: NanoCore.ClientPluginHost 0x5ab22:$x1: NanoCore.ClientPluginHost 0x65aff:$x1: NanoCore.ClientPluginHost 0x718a1:$x1: NanoCore.ClientPluginHost 0x967a5:$x1: NanoCore.ClientPluginHost 0xa5be5:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x1d411:$x2: IClientNetworkHost 0x2d630:$x2: IClientNetworkHost 0x3a7a5:$x2: IClientNetworkHost 0x40cf3:$x2: IClientNetworkHost 0x50854:$x2: IClientNetworkHost 0x5ab5b:$x2: IClientNetworkHost 0x65b19:$x2: IClientNetworkHost 0x718bb:$x2: IClientNetworkHost
9.2.MSBuild.exe.3cd82b0.15.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.MSBuild.exe.3cd82b0.15.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf763:$a: NanoCore 0xf778:$a: NanoCore 0xf7ad:$a: NanoCore 0x1d3c2:$a: NanoCore 0x1d3e7:$a: NanoCore 0x1d440:$a: NanoCore 0x2d5dd:$a: NanoCore 0x2d603:$a: NanoCore 0x2d65f:$a: NanoCore 0x3a4b4:$a: NanoCore 0x3a50d:$a: NanoCore 0x3a540:$a: NanoCore 0x3a76c:$a: NanoCore 0x3a7e8:$a: NanoCore 0x3ae01:$a: NanoCore 0x3af4a:$a: NanoCore 0x3b41e:$a: NanoCore 0x3b705:$a: NanoCore 0x3b71c:$a: NanoCore 0x40cba:$a: NanoCore 0x40d34:$a: NanoCore
9.2.MSBuild.exe.3cd347a.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2221d:$x1: NanoCore.ClientPluginHost 0x32439:$x1: NanoCore.ClientPluginHost 0x3f5a2:$x1: NanoCore.ClientPluginHost 0x45af0:$x1: NanoCore.ClientPluginHost 0x4bac1:$x1: NanoCore.ClientPluginHost 0x5552d:$x1: NanoCore.ClientPluginHost 0x5f958:$x1: NanoCore.ClientPluginHost 0x6a935:$x1: NanoCore.ClientPluginHost 0x766d7:$x1: NanoCore.ClientPluginHost 0x9b5db:$x1: NanoCore.ClientPluginHost 0xaaa1b:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x22247:$x2: IClientNetworkHost 0x32466:$x2: IClientNetworkHost 0x3f5db:$x2: IClientNetworkHost 0x45b29:$x2: IClientNetworkHost 0x5568a:$x2: IClientNetworkHost 0x5f991:$x2: IClientNetworkHost
9.2.MSBuild.exe.3cd347a.17.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.MSBuild.exe.3cd347a.17.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x221f8:$a: NanoCore 0x2221d:$a: NanoCore 0x22276:$a: NanoCore 0x32413:$a: NanoCore 0x32439:$a: NanoCore 0x32495:$a: NanoCore 0x3f2ea:$a: NanoCore 0x3f343:$a: NanoCore 0x3f376:$a: NanoCore 0x3f5a2:$a: NanoCore 0x3f61e:$a: NanoCore 0x3fc37:$a: NanoCore 0x3fd80:$a: NanoCore 0x40254:$a: NanoCore
9.2.MSBuild.exe.3a50f69.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14db3:$a: NanoCore 0x14dd9:$a: NanoCore 0x14e35:$a: NanoCore 0x21c8c:$a: NanoCore 0x21ce5:$a: NanoCore 0x21d18:$a: NanoCore 0x21f44:$a: NanoCore 0x21fc0:$a: NanoCore 0x225d9:$a: NanoCore 0x22722:$a: NanoCore 0x22bf6:$a: NanoCore 0x22edd:$a: NanoCore 0x22ef4:$a: NanoCore 0x2bd98:$a: NanoCore 0x2be14:$a: NanoCore 0x2e6f7:$a: NanoCore 0x33cc0:$a: NanoCore 0x33d3a:$a: NanoCore
9.2.MSBuild.exe.3a5d19d.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a58:$a: NanoCore 0x15ab1:$a: NanoCore 0x15ae4:$a: NanoCore 0x15d10:$a: NanoCore 0x15d8c:$a: NanoCore 0x163a5:$a: NanoCore 0x164ee:$a: NanoCore 0x169c2:$a: NanoCore 0x16ca9:$a: NanoCore 0x16cc0:$a: NanoCore 0x1fb64:$a: NanoCore 0x1fbe0:$a: NanoCore 0x224c3:$a: NanoCore 0x27a8c:$a: NanoCore 0x27b06:$a: NanoCore 0x2c6a3:$a: NanoCore 0x2da5f:$a: NanoCore 0x2daa9:$a: NanoCore
Click to see the 121 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6436, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

System Summary:

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentCommandLine: 'C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe' , ParentImage: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe, ParentProcessId: 6916, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6436

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000009.00000002.917875317.0000000003891000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "01f9d977-6605-495e-941a-753d3cd6", "Group": "4Maticross.", "Domain1": "178.170.138.163", "Domain2": "", "Port": 5626, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for domain / URL

Show sources

Source: 178.170.138.163

Virustotal: Detection: 5%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\sNlYazJXiEQfkP.exe

ReversingLabs: Detection: 19%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 9.2.MSBuild.exe.38f8a10.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.53c0000.27.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.38f8a10.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.53c4629.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.53c0000.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.38fd039.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.3cd82b0.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.3cdc8d9.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.3cd82b0.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.3cd347a.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.916279377.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.917875317.0000000003891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.918281922.0000000003CD3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.920939322.00000000053C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6436, type: MEMORY

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\sNlYazJXiEQfkP.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: SKGCTMGCarta20210701516374466893343426doc.exe

Joe Sandbox ML: detected

Source: 9.2.MSBuild.exe.53c0000.27.unpack	Avira: Label: TR/NanoCore.fadte
Source: 9.2.MSBuild.exe.38f8a10.6.unpack	Avira: Label: TR/NanoCore.fadte
Source: 9.2.MSBuild.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: SKGCTMGCarta20210701516374466893343426doc.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: SKGCTMGCarta20210701516374466893343426doc.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: 178.170.138.163
Source: Malware configuration extractor	URLs:

Source: global traffic

TCP traffic: 192.168.2.4:49744 -> 178.170.138.163:5626

Source: Joe Sandbox View

IP Address: 178.170.138.163 178.170.138.163

Source: Joe Sandbox View

ASN Name: ETOP-ASPL ETOP-ASPL

Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 2.22.152.11
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.136
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown	TCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.136
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.136
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.136
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.136
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.136
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.136
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.136
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknown	TCP traffic detected without corresponding DNS query: 178.170.138.163

Source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: SKGCTMGCarta20210701516374466893343426doc.exe	String found in binary or memory: http://tempuri.org/SeguridadDS.xsd
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.653877681.0000000005C48000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655184814.0000000005C3C000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.650929084.0000000005C4B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.650929084.0000000005C4B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comn
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.652846732.0000000005C3E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnre
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.652846732.0000000005C3E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnt
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655184814.0000000005C3C000.00000004.00000001.sdmp, SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmp, SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655959045.0000000005C3A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655959045.0000000005C3A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp//-e
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655772497.0000000005C3C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/7
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655184814.0000000005C3C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/G
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/U
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655627410.0000000005C3C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0o
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/a-e
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655184814.0000000005C3C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/fed
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655959045.0000000005C3A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/iv
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmp, SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655959045.0000000005C3A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/G
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/q
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655184814.0000000005C3C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/str
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/wdthd
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.651828375.0000000005C4B000.00000004.00000001.sdmp, SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.651216772.0000000005C4B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Source: MSBuild.exe, 00000009.00000002.918281922.0000000003CD3000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 9.2.MSBuild.exe.38f8a10.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.53c0000.27.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.38f8a10.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.53c4629.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.53c0000.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.38fd039.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.3cd82b0.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.3cdc8d9.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.3cd82b0.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.3cd347a.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.916279377.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.917875317.0000000003891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.918281922.0000000003CD3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.920939322.00000000053C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6436, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 9.2.MSBuild.exe.5270000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.53b0000.25.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3c5b3e6.14.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.2bd18b0.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.6830000.38.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.6390000.32.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.6380000.31.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.6390000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3bd7676.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.38f8a10.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.2bc5624.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.53c0000.27.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.53b0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.64a0000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.64b0000.37.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3c44187.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3c44187.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.MSBuild.exe.38f8a10.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3bce847.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.53c4629.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.53a0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.53a0000.24.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3c4cfb6.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3c5b3e6.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.5350000.22.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.6370000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.64b4c9f.36.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.53c0000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3c4cfb6.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.38fd039.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.5340000.21.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.64b0000.37.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3c44187.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.6360000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.6380000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3a50f69.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3cd82b0.15.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.2bc5624.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.2bc5624.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.MSBuild.exe.64be8a4.35.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.2be5f30.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.2be5f30.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.MSBuild.exe.3bd7676.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.6830000.38.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.5380000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.5350000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3a5d19d.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.64a0000.34.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3bce847.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3bce847.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.MSBuild.exe.5340000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.6370000.30.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3cdc8d9.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3cdc8d9.16.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.MSBuild.exe.3a717ca.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.MSBuild.exe.2bd18b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.2bd18b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.MSBuild.exe.3cd82b0.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3cd82b0.15.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.MSBuild.exe.3cd347a.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3cd347a.17.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.MSBuild.exe.3a50f69.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.MSBuild.exe.3a5d19d.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.921988297.0000000006380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.920719011.0000000005340000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.922004647.0000000006390000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.920503231.0000000005270000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.922224537.00000000064B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.920917334.00000000053A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.918142857.0000000003BC2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.920788480.0000000005350000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.920890999.0000000005380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.916279377.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.916279377.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.917459276.0000000002A0F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.922204860.00000000064A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.921932681.0000000006360000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.918281922.0000000003CD3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.920928559.00000000053B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.920939322.00000000053C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.921968807.0000000006370000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.918165301.0000000003BE8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSBuild.exe PID: 6436, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: MSBuild.exe PID: 6436, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_06841480	9_2_06841480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_068346D3	9_2_068346D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_068342EB	9_2_068342EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_06833324	9_2_06833324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_04D7E480	9_2_04D7E480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_04D7E471	9_2_04D7E471

Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000000.647837069.0000000000590000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAssemblyDefaultAliasAttribu.exe> vs SKGCTMGCarta20210701516374466893343426doc.exe
Source: SKGCTMGCarta20210701516374466893343426doc.exe	Binary or memory string: OriginalFilenameAssemblyDefaultAliasAttribu.exe> vs SKGCTMGCarta20210701516374466893343426doc.exe

Source: SKGCTMGCarta20210701516374466893343426doc.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 9.2.MSBuild.exe.5270000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.5270000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.53b0000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.53b0000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3c5b3e6.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3c5b3e6.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.2bd18b0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.2bd18b0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.6830000.38.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.6830000.38.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.6390000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.6390000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.6380000.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.6380000.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.6390000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.6390000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3bd7676.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3bd7676.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.38f8a10.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.38f8a10.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.2bc5624.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.2bc5624.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.53c0000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.53c0000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.53b0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.53b0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.64a0000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.64a0000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.64b0000.37.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.64b0000.37.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3c44187.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3c44187.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3c44187.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.MSBuild.exe.38f8a10.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.38f8a10.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3bce847.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3bce847.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.53c4629.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.53c4629.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.53a0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.53a0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.53a0000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.53a0000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3c4cfb6.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3c4cfb6.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3c5b3e6.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3c5b3e6.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.5350000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.5350000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.6370000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.6370000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.64b4c9f.36.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.64b4c9f.36.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.53c0000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.53c0000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3c4cfb6.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3c4cfb6.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.38fd039.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.38fd039.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.5340000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.5340000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.64b0000.37.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.64b0000.37.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3c44187.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3c44187.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.6360000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.6360000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.6380000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.6380000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3a50f69.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3a50f69.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3cd82b0.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3cd82b0.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.2bc5624.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.2bc5624.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.2bc5624.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.MSBuild.exe.64be8a4.35.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.64be8a4.35.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.2be5f30.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.2be5f30.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.2be5f30.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.MSBuild.exe.3bd7676.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3bd7676.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.6830000.38.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.6830000.38.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.5380000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.5380000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.5350000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.5350000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3a5d19d.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3a5d19d.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.64a0000.34.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.64a0000.34.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3bce847.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3bce847.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3bce847.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.MSBuild.exe.5340000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.5340000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.6370000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.6370000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3cdc8d9.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3cdc8d9.16.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.MSBuild.exe.3a717ca.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.MSBuild.exe.2bd18b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.2bd18b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.2bd18b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.MSBuild.exe.3cd82b0.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3cd82b0.15.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.MSBuild.exe.3cd347a.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3cd347a.17.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.MSBuild.exe.3a50f69.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.MSBuild.exe.3a5d19d.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.921988297.0000000006380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.921988297.0000000006380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.920719011.0000000005340000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.920719011.0000000005340000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.922004647.0000000006390000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.922004647.0000000006390000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.920503231.0000000005270000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.920503231.0000000005270000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.922224537.00000000064B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.922224537.00000000064B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.920917334.00000000053A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.920917334.00000000053A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.918142857.0000000003BC2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.920788480.0000000005350000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.920788480.0000000005350000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.920890999.0000000005380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.920890999.0000000005380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.916279377.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.916279377.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.917459276.0000000002A0F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.922204860.00000000064A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.922204860.00000000064A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.921932681.0000000006360000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.921932681.0000000006360000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.918281922.0000000003CD3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.920928559.00000000053B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.920928559.00000000053B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.920939322.00000000053C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.920939322.00000000053C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.921968807.0000000006370000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.921968807.0000000006370000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.918165301.0000000003BE8000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: MSBuild.exe PID: 6436, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: MSBuild.exe PID: 6436, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: 9.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 9.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/8@0/1

Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe

File created: C:\Users\user\AppData\Roaming\sNlYazJXiEQfkP.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{01f9d977-6605-495e-941a-753d3cd6dc0b}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_01
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Mutant created: \Sessions\1\BaseNamedObjects\hyqnCGSIGeFUcA

Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe

File created: C:\Users\user\AppData\Local\Temp\tmp1ACF.tmp

Jump to behavior

Source: SKGCTMGCarta20210701516374466893343426doc.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000000.647695218.00000000004A2000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO [USUARIO] ([cve_empleado], [nombre], [ape_pat], [ape_mat], [correo], [id_usuario], [fecha_ingreso], [estado], [Bloqueo], [FechaCaducidad], [id_sucursal], [Autorizar], [jefe], [id_depto]) VALUES (@cve_empleado, @nombre, @ape_pat, @ape_mat, @correo, @id_usuario, @fecha_ingreso, @estado, @Bloqueo, @FechaCaducidad, @id_sucursal, @Autorizar, @jefe, @id_depto);
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000000.647695218.00000000004A2000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO [PERFILES] ([CveEmpresa], [cve_perfil], [id_sistema]) VALUES (@CveEmpresa, @cve_perfil, @id_sistema);
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000000.647695218.00000000004A2000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO [SEG_MAESTRA] ([cve_perfil], [nom_sistema], [modulo], [cve_menu], [cve_submenu], [cve_ssubmenu], [cve_sssubmenu], [menu]) VALUES (@cve_perfil, @nom_sistema, @modulo, @cve_menu, @cve_submenu, @cve_ssubmenu, @cve_sssubmenu, @menu);
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000000.647695218.00000000004A2000.00000002.00020000.sdmp	Binary or memory string: UPDATE [PERFILES] SET [CveEmpresa] = @CveEmpresa, [cve_perfil] = @cve_perfil, [id_sistema] = @id_sistema WHERE (([CveEmpresa] = @Original_CveEmpresa) AND ([cve_perfil] = @Original_cve_perfil) AND ([id_sistema] = @Original_id_sistema));
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000000.647695218.00000000004A2000.00000002.00020000.sdmp	Binary or memory string: UPDATE [DEPTO] SET [id_depto] = @id_depto, [nom_depto] = @nom_depto WHERE (([id_depto] = @Original_id_depto) AND ((@IsNull_nom_depto = 1 AND [nom_depto] IS NULL) OR ([nom_depto] = @Original_nom_depto)));

Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe

File read: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe 'C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe'
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sNlYazJXiEQfkP' /XML 'C:\Users\user\AppData\Local\Temp\tmp1ACF.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sNlYazJXiEQfkP' /XML 'C:\Users\user\AppData\Local\Temp\tmp1ACF.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior

Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SKGCTMGCarta20210701516374466893343426doc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SKGCTMGCarta20210701516374466893343426doc.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 9.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: initial sample	Static PE information: section name: .text entropy: 7.34236226121
Source: initial sample	Static PE information: section name: .text entropy: 7.34236226121

Source: 9.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 9.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe

File created: C:\Users\user\AppData\Roaming\sNlYazJXiEQfkP.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sNlYazJXiEQfkP' /XML 'C:\Users\user\AppData\Local\Temp\tmp1ACF.tmp'

Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 2255	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 7382	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: foregroundWindowGot 607	Jump to behavior

Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe TID: 6920	Thread sleep time: -54519s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe TID: 6968	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6664	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Thread delayed: delay time: 54519	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: MSBuild.exe, 00000009.00000002.922026486.00000000063A0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: MSBuild.exe, 00000009.00000002.922026486.00000000063A0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: MSBuild.exe, 00000009.00000002.922026486.00000000063A0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: MSBuild.exe, 00000009.00000003.779609147.0000000000D45000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MSBuild.exe, 00000009.00000002.922026486.00000000063A0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6AE008	Jump to behavior

Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sNlYazJXiEQfkP' /XML 'C:\Users\user\AppData\Local\Temp\tmp1ACF.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe			Jump to behavior

Source: MSBuild.exe, 00000009.00000002.917823419.0000000002CF0000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: MSBuild.exe, 00000009.00000002.916937385.0000000001250000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: MSBuild.exe, 00000009.00000002.916937385.0000000001250000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: MSBuild.exe, 00000009.00000002.921539423.0000000005E7C000.00000004.00000001.sdmp	Binary or memory string: Program Managerram Manager
Source: MSBuild.exe, 00000009.00000002.916937385.0000000001250000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: MSBuild.exe, 00000009.00000002.920987779.0000000005B2C000.00000004.00000001.sdmp	Binary or memory string: Program Managerram Manager h

Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 9.2.MSBuild.exe.38f8a10.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.53c0000.27.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.38f8a10.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.53c4629.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.53c0000.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.38fd039.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.3cd82b0.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.3cdc8d9.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.3cd82b0.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.3cd347a.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.916279377.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.917875317.0000000003891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.918281922.0000000003CD3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.920939322.00000000053C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6436, type: MEMORY

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: MSBuild.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: MSBuild.exe, 00000009.00000002.918281922.0000000003CD3000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 9.2.MSBuild.exe.38f8a10.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.53c0000.27.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.38f8a10.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.53c4629.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.53c0000.27.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.38fd039.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.3cd82b0.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.3cdc8d9.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.3cd82b0.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.3cd347a.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.916279377.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.917875317.0000000003891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.918281922.0000000003CD3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.920939322.00000000053C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6436, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Scheduled Task/Job1	Process Injection212	Masquerading1	Input Capture11	Security Software Discovery111	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection212	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing12	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SKGCTMGCarta20210701516374466893343426doc.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\sNlYazJXiEQfkP.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\sNlYazJXiEQfkP.exe	20%	ReversingLabs	Win32.Trojan.Pwsx

Unpacked PE Files

Source	Detection	Scanner	Label	Download
9.2.MSBuild.exe.53c0000.27.unpack	100%	Avira	TR/NanoCore.fadte	Download File
9.2.MSBuild.exe.38f8a10.6.unpack	100%	Avira	TR/NanoCore.fadte	Download File
9.2.MSBuild.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
178.170.138.163	6%	Virustotal		Browse
178.170.138.163	0%	Avira URL Cloud	safe
	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/str	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/U	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/U	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/U	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/U	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/a-e	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/a-e	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/a-e	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/a-e	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/G	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnre	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/G	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/G	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/G	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://tempuri.org/SeguridadDS.xsd	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/7	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/7	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/7	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/wdthd	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Y0o	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/q	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/q	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/q	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/iv	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.founder.com.cn/cnt	0%	URL Reputation	safe
http://www.founder.com.cn/cnt	0%	URL Reputation	safe
http://www.founder.com.cn/cnt	0%	URL Reputation	safe
http://www.fonts.comn	0%	URL Reputation	safe
http://www.fonts.comn	0%	URL Reputation	safe
http://www.fonts.comn	0%	URL Reputation	safe
http://www.carterandcone.como.	0%	URL Reputation	safe
http://www.carterandcone.como.	0%	URL Reputation	safe
http://www.carterandcone.como.	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp//-e	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/fed	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
178.170.138.163	true	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.jiyu-kobo.co.jp/str	SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655184814.0000000005C3C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.653877681.0000000005C48000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/U	SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/a-e	SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/G	SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnre	SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.652846732.0000000005C3E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/G	SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655184814.0000000005C3C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.com	SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.651828375.0000000005C4B000.00000004.00000001.sdmp, SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.651216772.0000000005C4B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://tempuri.org/SeguridadDS.xsd	SKGCTMGCarta20210701516374466893343426doc.exe	false	Avira URL Cloud: safe	unknown
http://google.com	MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/	SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmp, SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655959045.0000000005C3A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/7	SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655772497.0000000005C3C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/wdthd	SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Y0o	SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655627410.0000000005C3C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/q	SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/iv	SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655959045.0000000005C3A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655184814.0000000005C3C000.00000004.00000001.sdmp, SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmp, SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655959045.0000000005C3A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnt	SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.652846732.0000000005C3E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.comn	SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.650929084.0000000005C4B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.com	SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.650929084.0000000005C4B000.00000004.00000001.sdmp	false		high
http://www.carterandcone.como.	SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655184814.0000000005C3C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp//-e	SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655959045.0000000005C3A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/fed	SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655184814.0000000005C3C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
178.170.138.163	unknown	Netherlands		20853	ETOP-ASPL	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	451593
Start date:	20.07.2021
Start time:	20:52:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SKGCTMGCarta20210701516374466893343426doc.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/8@0/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 83% Number of executed functions: 27 Number of non-executed functions: 5
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 168.61.161.212, 23.54.113.53, 104.43.139.144, 104.42.151.234, 52.255.188.83, 20.50.102.62, 23.0.174.200, 23.0.174.185, 20.54.110.249, 40.112.88.60, 23.10.249.26, 23.10.249.43, 20.82.210.154 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:53:39	API Interceptor	2x Sleep call for process: SKGCTMGCarta20210701516374466893343426doc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
178.170.138.163	SKCTMG_Carta_20210707_16374466893343426doc.exe	Get hash	malicious	Browse
	#U0639#U0631#U0636 #U0627#U0644#U0645#U0646#U062a#U062c Stomanas_SKCGM_63746352021doc.exe	Get hash	malicious	Browse
	Documento de transferencia de Scotiabank7497574730084doc.exe	Get hash	malicious	Browse
	Documento de transferencia de Scotiabank749757473008422doc.exe	Get hash	malicious	Browse
	Documento relativo al carico e alla spedizione del cliente_italy2020.exe	Get hash	malicious	Browse
	Sitech#U4ea7#U54c1#U54a8#U8be2#U89c4#U8303754378y9986456Taiwan2020.exe	Get hash	malicious	Browse
	Detalles de la descripci#U00f3n de la oferta del producto.exe	Get hash	malicious	Browse
	Detalles de la descripci#U00f3n de la oferta del producto.exe	Get hash	malicious	Browse
	Documentos internos de transferencia de dinero Banco Santader.exe	Get hash	malicious	Browse
	Documentos internos de transferencia de dinero Banco Santader.exe	Get hash	malicious	Browse
	Albawardi Group Project offer description 678467463756382020.exe	Get hash	malicious	Browse
	Opis proizvoda prema kvaliteti i modelima2020.exe	Get hash	malicious	Browse
	Opis proizvoda prema kvaliteti i modelima2020.exe	Get hash	malicious	Browse
	Documentos de pago bancario 36587634 Bisa2020.exe	Get hash	malicious	Browse
	Beschrijving van productaanbiedingcWbZN52020.exe	Get hash	malicious	Browse
	Descri#U00e7#U00e3o da oferta do produto 873564635640rden2020.exe	Get hash	malicious	Browse
	Descri#U00e7#U00e3o da oferta do produto 873564635640rden2020.exe	Get hash	malicious	Browse
	BIDAKIS DOO PONUDA PROIZVODA.exe	Get hash	malicious	Browse
	DocumentoNota Cobran#U00e7a IMI (FFPT-2019223912003).exe	Get hash	malicious	Browse
	DocumentoNota Cobran#U00e7a IMI (FFPT-2019223912003).exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ETOP-ASPL	v6clgzEGCb	Get hash	malicious	Browse	194.87.61.219
	SKCTMG_Carta_20210707_16374466893343426doc.exe	Get hash	malicious	Browse	178.170.138.163
	#U0639#U0631#U0636 #U0627#U0644#U0645#U0646#U062a#U062c Stomanas_SKCGM_63746352021doc.exe	Get hash	malicious	Browse	178.170.138.163
	DEBT_06032021_727093524.xlsm	Get hash	malicious	Browse	217.147.172.75
	DEBT_06032021_727093524.xlsm	Get hash	malicious	Browse	217.147.172.75
	p8Wo6PbOjL.exe	Get hash	malicious	Browse	194.87.248.186
	DEBT_06032021_1841965006.xlsm	Get hash	malicious	Browse	217.147.172.75
	DEBT_06032021_1841965006.xlsm	Get hash	malicious	Browse	217.147.172.75
	21305177357_05272021.xlsm	Get hash	malicious	Browse	217.147.172.75
	21305177357_05272021.xlsm	Get hash	malicious	Browse	217.147.172.75
	21881755902_05272021.xlsm	Get hash	malicious	Browse	217.147.172.75
	21881755902_05272021.xlsm	Get hash	malicious	Browse	217.147.172.75
	SecuriteInfo.com.Downloader-FCEIFE04EE03A3CA.23702.xlsx	Get hash	malicious	Browse	217.147.172.65
	SecuriteInfo.com.Downloader-FCEIFE04EE03A3CA.23702.xlsx	Get hash	malicious	Browse	217.147.172.65
	SecuriteInfo.com.Heur.18790.xlsx	Get hash	malicious	Browse	217.147.172.65
	SecuriteInfo.com.Heur.18790.xlsx	Get hash	malicious	Browse	217.147.172.65
	21975030260_05262021.xlsm	Get hash	malicious	Browse	217.147.172.65
	21975030260_05262021.xlsm	Get hash	malicious	Browse	217.147.172.65
	LGZCUIMYwQ.exe	Get hash	malicious	Browse	178.170.138.116
	Smart wireless request.xlsb	Get hash	malicious	Browse	178.170.138.116

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SKGCTMGCarta20210701516374466893343426doc.exe.log Download File
Process:	C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1594
Entropy (8bit):	5.336334182031907
Encrypted:	false
SSDEEP:	48:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHKzvFHsAmHK2HKSHKKHKs:lrq5qXEwCYqhQnoPtIxHeqzNM/q2qSqY
MD5:	B9E8D9BC061D6715808BB3A28CECBA2B
SHA1:	6F18CD63C12AEC962D089F215658FD5BE1789BC3
SHA-256:	716E082F23E093EBCA2C8F994745CC7D62457D7359BBE555B75E275CE8EEEDC7
SHA-512:	6D97D3E34CBCC5C0CCF845E285F98DE1824A825AB1D306D20ED164B0B74270CED9AB694E40831EC796E9F823BB4E369166006E555D7BBD000A33A0FDA601F806
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmp1ACF.tmp Download File
Process:	C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1647
Entropy (8bit):	5.1946234784418746
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGntn:cbhK79lNQR/rydbz9I3YODOLNdq3i
MD5:	8C8CC3C796621F14169BD093EA6818F4
SHA1:	3B3888BFFD6FC587368AADF30AB6CCAB6724A306
SHA-256:	CF099569F34DBAFE264CE066E5685D9FF0FB391813DBB88F5460808F0936F01E
SHA-512:	5BC2AB27CAC294C49159A0CE67E8011CA6E0695B51D0B34E9F956C751F4A812F003458499D5EC0AD12551BB2B797CA309A2C5FE127848923E9E94635445BB8B1
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
MD5:	32D0AAE13696FF7F8AF33B2D22451028
SHA1:	EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
SHA-256:	5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
SHA-512:	1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	MPEG-4 LOAS
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:5P8t:98t
MD5:	884356AE811E6EC35EC71E122ADD3089
SHA1:	9346B3622B8A7DFCF2A6923688DD29D4D141D23B
SHA-256:	127F0042509D516159135C721EF6096155D1FECB47E0F7804799BBAA20788394
SHA-512:	5F8386D2FD81492551B6AB9D9813711AD739FF9CEC0037ACD96FFE1BF0E9DEC47EFD29BFA3C871BEECC9D6B9CDF13FB311E806522AD491C18DDAB6D3D6ACE34D
Malicious:	true
Reputation:	low
Preview:	V.{..K.H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	327432
Entropy (8bit):	7.99938831605763
Encrypted:	true
SSDEEP:	6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
MD5:	7E8F4A764B981D5B82D1CC49D341E9C6
SHA1:	D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
SHA-256:	0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
SHA-512:	880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
Malicious:	false
Preview:	pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...\|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.).....{B.[...y%...i.Q.<..xt.X..H.. ..HF7g...I.3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.\|i4...i...;O...n.?.,. ....v?.5}.OY@.dG\|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...\|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`\|.B....3.....I..o...u1..8i=.z.W..7

C:\Users\user\AppData\Roaming\sNlYazJXiEQfkP.exe Download File
Process:	C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	972288
Entropy (8bit):	7.334276939082949
Encrypted:	false
SSDEEP:	24576:wgpLmQvDB9Ep2nb+B8NJar5e/A82vMfjYOk:XJbTN8r8FOGS
MD5:	0EB0833449CEC388F8157458FC600691
SHA1:	63C969FEEE64E6FE65D289FBBDF6E2C971F8878B
SHA-256:	945AB6B146DC530E61824B8CCDD396C6C5D84C9537736DB859771B1EE2DD93FE
SHA-512:	EE4AE72DEFE8E6E163523FE9175911AF7EEE9FDF2EF086C16F699B51D08D98EBD9104D3FC6310922F7B729850F878C595319D2E89629C4AF798C267DAB28F1C7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 20%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.............v.... ........@.. .......................@............@.................................$...O.......$.................... ....................................................... ............... ..H............text...\|.... ...................... ..`.rsrc...$...........................@..@.reloc....... ......................@..B................X.......H.......(...$...........L....]...........................................0............(1...(2.........(.....o3.........................(4......(5......(6......(7......(8....N..(....o....(9....&..(:.....s;........s<........s=........s>........s?............0...........~....o@....+...0...........~....oA....+...0...........~....oB....+...0...........~....oC....+...0...........~....oD....+..&..(E....*...0..<........~.....(F.....,!r...p.....(G...oH...sI............~.....

C:\Users\user\AppData\Roaming\sNlYazJXiEQfkP.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.334276939082949
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	SKGCTMGCarta20210701516374466893343426doc.exe
File size:	972288
MD5:	0eb0833449cec388f8157458fc600691
SHA1:	63c969feee64e6fe65d289fbbdf6e2c971f8878b
SHA256:	945ab6b146dc530e61824b8ccdd396c6c5d84c9537736db859771b1ee2dd93fe
SHA512:	ee4ae72defe8e6e163523fe9175911af7eee9fdf2ef086c16f699b51d08d98ebd9104d3fc6310922f7b729850f878c595319d2e89629c4af798c267dab28f1c7
SSDEEP:	24576:wgpLmQvDB9Ep2nb+B8NJar5e/A82vMfjYOk:XJbTN8r8FOGS
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.............v.... ........@.. .......................@............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4ee876
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60F70F88 [Tue Jul 20 18:01:44 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xee824	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf0000	0x624	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xec87c	0xeca00	False	0.651589532158	data	7.34236226121	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xf0000	0x624	0x800	False	0.3330078125	data	3.46462032748	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf2000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xf0090	0x394	data
RT_MANIFEST	0xf0434	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2016 - 2021
Assembly Version	1.0.0.0
InternalName	AssemblyDefaultAliasAttribu.exe
FileVersion	1.0.0.0
CompanyName	X SAW
LegalTrademarks
Comments
ProductName	Fountain Marks
ProductVersion	1.0.0.0
FileDescription	Fountain Marks
OriginalFilename	AssemblyDefaultAliasAttribu.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 20, 2021 20:53:49.791016102 CEST	49744	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:53:52.792041063 CEST	49744	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:53:55.524904013 CEST	80	49684	93.184.221.240	192.168.2.4
Jul 20, 2021 20:53:55.525307894 CEST	49684	80	192.168.2.4	93.184.221.240
Jul 20, 2021 20:53:57.614537001 CEST	80	49685	93.184.220.29	192.168.2.4
Jul 20, 2021 20:53:57.614751101 CEST	49685	80	192.168.2.4	93.184.220.29
Jul 20, 2021 20:53:58.141104937 CEST	80	49707	93.184.220.29	192.168.2.4
Jul 20, 2021 20:53:58.141252041 CEST	49707	80	192.168.2.4	93.184.220.29
Jul 20, 2021 20:53:58.428544998 CEST	80	49698	93.184.220.29	192.168.2.4
Jul 20, 2021 20:53:58.428674936 CEST	49698	80	192.168.2.4	93.184.220.29
Jul 20, 2021 20:53:58.792886972 CEST	49744	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:53:59.280232906 CEST	49711	443	192.168.2.4	2.22.152.11
Jul 20, 2021 20:53:59.280491114 CEST	49714	80	192.168.2.4	93.184.220.29
Jul 20, 2021 20:53:59.623955965 CEST	80	49706	93.184.220.29	192.168.2.4
Jul 20, 2021 20:53:59.627317905 CEST	49706	80	192.168.2.4	93.184.220.29
Jul 20, 2021 20:54:01.316149950 CEST	49716	443	192.168.2.4	204.79.197.200
Jul 20, 2021 20:54:01.316797972 CEST	49717	443	192.168.2.4	204.79.197.200
Jul 20, 2021 20:54:06.795619965 CEST	49752	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:09.809037924 CEST	49752	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:15.966793060 CEST	49752	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:23.374228954 CEST	49763	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:26.389138937 CEST	49763	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:32.404723883 CEST	49763	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:39.938142061 CEST	49764	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:42.952441931 CEST	49764	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:45.250031948 CEST	49683	443	192.168.2.4	40.126.31.136
Jul 20, 2021 20:54:45.250032902 CEST	49685	80	192.168.2.4	93.184.220.29
Jul 20, 2021 20:54:45.250073910 CEST	49684	80	192.168.2.4	93.184.221.240
Jul 20, 2021 20:54:45.265918016 CEST	80	49685	93.184.220.29	192.168.2.4
Jul 20, 2021 20:54:45.265949011 CEST	80	49684	93.184.221.240	192.168.2.4
Jul 20, 2021 20:54:45.266001940 CEST	49685	80	192.168.2.4	93.184.220.29
Jul 20, 2021 20:54:45.266019106 CEST	49684	80	192.168.2.4	93.184.221.240
Jul 20, 2021 20:54:45.287282944 CEST	443	49683	40.126.31.136	192.168.2.4
Jul 20, 2021 20:54:45.287385941 CEST	49683	443	192.168.2.4	40.126.31.136
Jul 20, 2021 20:54:47.798296928 CEST	49712	443	192.168.2.4	40.126.31.136
Jul 20, 2021 20:54:47.798316002 CEST	49705	443	192.168.2.4	40.126.31.136
Jul 20, 2021 20:54:47.798541069 CEST	49715	443	192.168.2.4	40.126.31.136
Jul 20, 2021 20:54:47.836118937 CEST	443	49712	40.126.31.136	192.168.2.4
Jul 20, 2021 20:54:47.836163044 CEST	443	49715	40.126.31.136	192.168.2.4
Jul 20, 2021 20:54:47.836328030 CEST	49712	443	192.168.2.4	40.126.31.136
Jul 20, 2021 20:54:47.836405993 CEST	49715	443	192.168.2.4	40.126.31.136
Jul 20, 2021 20:54:47.837521076 CEST	443	49705	40.126.31.136	192.168.2.4
Jul 20, 2021 20:54:47.839204073 CEST	49705	443	192.168.2.4	40.126.31.136
Jul 20, 2021 20:54:48.952941895 CEST	49764	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:56.721637964 CEST	443	49692	204.79.197.200	192.168.2.4
Jul 20, 2021 20:54:57.894918919 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:57.993505955 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:57.994163990 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:58.052845001 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:58.195569038 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:58.325253010 CEST	443	49691	204.79.197.200	192.168.2.4
Jul 20, 2021 20:54:58.812326908 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:58.826364994 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:58.999310970 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:58.999449968 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.030936956 CEST	443	49695	204.79.197.200	192.168.2.4
Jul 20, 2021 20:54:59.143984079 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.144264936 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.285238981 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.288057089 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.289046049 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.289067030 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.289084911 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.289103985 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.289124012 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.289124966 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.289211988 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.289215088 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.289220095 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.289565086 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.289585114 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.289633989 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.289761066 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.289841890 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.389314890 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.389348984 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.389368057 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.389384985 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.389462948 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.389487982 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.390346050 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.390372038 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.390391111 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.390408993 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.390424967 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.390774012 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.390816927 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.390839100 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.390856981 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.390903950 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.390928984 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.390933037 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.390937090 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.392381907 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.392424107 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.392458916 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.392539024 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.392550945 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.392571926 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.392591953 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.392666101 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.392724991 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.392924070 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.392931938 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.488101959 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.488756895 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.488794088 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.488817930 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.488848925 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.488862038 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.488888979 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.488909960 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.490042925 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.490142107 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.490227938 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.491554976 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.491580009 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.491600037 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.491621971 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.491817951 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.491837978 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.492039919 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.492058039 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.492127895 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.492141008 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.492144108 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.492146015 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.493858099 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.493957043 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.494256973 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.494317055 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.494333982 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.494353056 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.494371891 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.494380951 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.494395971 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.494398117 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.494496107 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.495012045 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.496848106 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.496875048 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.496970892 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.496992111 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.497539997 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.497859955 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.498142958 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.498223066 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.498297930 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.499106884 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.499735117 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.499855042 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.499922991 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.499941111 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.499978065 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.499994993 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.500021935 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.500051975 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.500056028 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.500057936 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.500061035 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.500062943 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.500101089 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.500355959 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.580981970 CEST	80	49707	93.184.220.29	192.168.2.4
Jul 20, 2021 20:54:59.581056118 CEST	49707	80	192.168.2.4	93.184.220.29
Jul 20, 2021 20:54:59.587475061 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.587515116 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.587538958 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.587697029 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.587762117 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.587791920 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.590522051 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.590560913 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.590588093 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.590615034 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.590694904 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.590713978 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.592295885 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.592335939 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.592363119 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.592385054 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.592408895 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.592432022 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.592461109 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.592485905 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.592535019 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.592547894 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.592550993 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.592552900 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.594724894 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.594779968 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.594818115 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.594940901 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.595400095 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.595446110 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.595499039 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.595568895 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.595594883 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.595877886 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.595894098 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.595896959 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.595966101 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.596074104 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.596100092 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.596172094 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.596921921 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.596955061 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.597018003 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.597109079 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.597119093 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.597189903 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.597219944 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.597378016 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.611290932 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.611334085 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.611464977 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.612458944 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.612493992 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.612519979 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.612545967 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.612565041 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.612590075 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.612991095 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.613970995 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.614010096 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.614034891 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.614059925 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.614082098 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.614159107 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.614171982 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.614176035 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.614201069 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.614227057 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.614249945 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.614274025 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.614346981 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.614352942 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.689204931 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.689249039 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.689683914 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.689744949 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.690038919 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.690068007 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.690161943 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.690179110 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.691159964 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.691210985 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.691215038 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.691216946 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.695471048 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.695507050 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.695533037 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.695555925 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.695575953 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.695596933 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.695617914 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.695637941 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.695707083 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.695727110 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.696238995 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.696293116 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.697009087 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.700814009 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.700865984 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.700897932 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.700932980 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.701792002 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.701879025 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.701904058 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.701961040 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.702053070 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.702176094 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.702192068 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.702194929 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.702574968 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.702605009 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.702630997 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.702653885 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.702673912 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.702675104 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.702907085 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.725155115 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.725183964 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.725199938 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.725212097 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.725301981 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.725347996 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.725370884 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.725393057 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.725413084 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.725438118 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.725461006 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.725868940 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.725898981 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.725920916 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.725941896 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.725964069 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.725984097 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.726022959 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.726026058 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.726051092 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.726054907 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.726057053 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.726059914 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.726085901 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.726089001 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.726090908 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.766345024 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.791002989 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.791043043 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.791214943 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.792160034 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.792196989 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.792222023 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.792244911 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.792269945 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.792360067 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.792372942 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.792392015 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.792459011 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.793579102 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.793613911 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.793642998 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.793715000 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.795021057 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.795064926 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.798194885 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.798934937 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.798964024 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.799021006 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.799026012 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.799052954 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.799133062 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.799169064 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.799376011 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.801457882 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.801651955 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.801680088 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.801718950 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.802231073 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.802248001 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.802350044 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.802381039 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.802400112 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.802424908 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.802464962 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.803134918 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.803504944 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.803535938 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.803561926 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.803586006 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.807199955 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.807225943 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.825097084 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.825135946 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.825162888 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.825402021 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.826438904 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.826476097 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.826497078 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.826518059 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.826571941 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.826606035 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.826673031 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.826692104 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.826698065 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.827274084 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.827318907 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.827343941 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.827370882 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.827383995 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.827397108 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.827409029 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.827564001 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.828432083 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.828465939 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.828490973 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.828634024 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.864934921 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.865199089 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.875951052 CEST	443	49694	204.79.197.200	192.168.2.4
Jul 20, 2021 20:54:59.892508984 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.892561913 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.896126032 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.896189928 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.896225929 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.896261930 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.896300077 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.896327972 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.896337986 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.896362066 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.896372080 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.896385908 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.896397114 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.896405935 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.896451950 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.896492958 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.896544933 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.896573067 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.896605968 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.896606922 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.896611929 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.896631956 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.896644115 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.896687984 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.896723032 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.896759987 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.896796942 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.896801949 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.897041082 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.897119999 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.897156000 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.897187948 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.897222996 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.897223949 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.897238970 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.897614956 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.899487972 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.899590015 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.899627924 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.899658918 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.899796963 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.899812937 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.900333881 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.900368929 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.900389910 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.900413036 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.900496006 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.901174068 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.901225090 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.903078079 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.904074907 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.904449940 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.904479027 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.904500008 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.904519081 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.904537916 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.905111074 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.905141115 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.905159950 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.905177116 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.907236099 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.907253981 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.907257080 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.907259941 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.907325029 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.907605886 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.907737970 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.907821894 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.907855034 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.907885075 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.907915115 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.907948017 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.907979965 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:54:59.908014059 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.908044100 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.908047915 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.908067942 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:54:59.954293966 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:55:00.175071001 CEST	443	49702	13.107.5.88	192.168.2.4
Jul 20, 2021 20:55:00.380311012 CEST	80	49698	93.184.220.29	192.168.2.4
Jul 20, 2021 20:55:00.380433083 CEST	49698	80	192.168.2.4	93.184.220.29
Jul 20, 2021 20:55:01.030854940 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:55:01.064587116 CEST	80	49706	93.184.220.29	192.168.2.4
Jul 20, 2021 20:55:01.065483093 CEST	49706	80	192.168.2.4	93.184.220.29
Jul 20, 2021 20:55:01.184295893 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:55:01.279108047 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:55:01.329334021 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:55:01.430078030 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:55:01.469981909 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:55:01.771377087 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:55:01.934593916 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:55:01.937203884 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:55:02.034863949 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:55:02.074863911 CEST	443	49693	204.79.197.200	192.168.2.4
Jul 20, 2021 20:55:02.079190969 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:55:02.134622097 CEST	443	49690	204.79.197.200	192.168.2.4
Jul 20, 2021 20:55:02.177807093 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:55:02.223632097 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:55:02.553953886 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:55:02.649887085 CEST	443	49689	204.79.197.200	192.168.2.4
Jul 20, 2021 20:55:02.705403090 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:55:02.708319902 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:55:02.775872946 CEST	443	49696	204.79.197.200	192.168.2.4
Jul 20, 2021 20:55:02.864449024 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:55:03.010363102 CEST	443	49708	204.79.197.222	192.168.2.4
Jul 20, 2021 20:55:03.093210936 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:55:03.141716957 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:55:03.191274881 CEST	443	49687	204.79.197.200	192.168.2.4
Jul 20, 2021 20:55:03.565300941 CEST	443	49703	13.107.5.88	192.168.2.4
Jul 20, 2021 20:55:03.939265013 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:55:04.077817917 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:55:04.965451956 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:55:05.105397940 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:55:05.295320988 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:55:05.319561005 CEST	443	49704	13.107.42.23	192.168.2.4
Jul 20, 2021 20:55:05.345480919 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:55:08.096613884 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:55:08.142070055 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:55:09.831068993 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:55:09.977323055 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:55:13.083563089 CEST	80	49706	93.184.220.29	192.168.2.4
Jul 20, 2021 20:55:13.084896088 CEST	49706	80	192.168.2.4	93.184.220.29
Jul 20, 2021 20:55:13.102665901 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:55:13.158142090 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:55:13.381501913 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:55:13.423849106 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:55:13.763734102 CEST	80	49698	93.184.220.29	192.168.2.4
Jul 20, 2021 20:55:13.763856888 CEST	49698	80	192.168.2.4	93.184.220.29
Jul 20, 2021 20:55:13.875632048 CEST	80	49707	93.184.220.29	192.168.2.4
Jul 20, 2021 20:55:13.875771046 CEST	49707	80	192.168.2.4	93.184.220.29
Jul 20, 2021 20:55:14.925040007 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:55:15.092382908 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:55:18.113876104 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:55:18.158623934 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:55:19.956137896 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:55:20.103272915 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:55:21.458796978 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:55:21.502635956 CEST	49767	5626	192.168.2.4	178.170.138.163
Jul 20, 2021 20:55:23.122646093 CEST	5626	49767	178.170.138.163	192.168.2.4
Jul 20, 2021 20:55:23.174604893 CEST	49767	5626	192.168.2.4	178.170.138.163

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 20, 2021 20:53:03.080075026 CEST	58028	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:53:03.095879078 CEST	53	58028	8.8.8.8	192.168.2.4
Jul 20, 2021 20:53:03.497672081 CEST	53097	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:53:03.518735886 CEST	53	53097	8.8.8.8	192.168.2.4
Jul 20, 2021 20:53:04.246798038 CEST	49257	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:53:04.259433985 CEST	53	49257	8.8.8.8	192.168.2.4
Jul 20, 2021 20:53:05.161753893 CEST	62389	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:53:05.174273968 CEST	53	62389	8.8.8.8	192.168.2.4
Jul 20, 2021 20:53:06.222085953 CEST	49910	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:53:06.234720945 CEST	53	49910	8.8.8.8	192.168.2.4
Jul 20, 2021 20:53:07.443651915 CEST	55854	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:53:07.456856966 CEST	53	55854	8.8.8.8	192.168.2.4
Jul 20, 2021 20:53:08.769318104 CEST	64549	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:53:08.784786940 CEST	53	64549	8.8.8.8	192.168.2.4
Jul 20, 2021 20:53:09.850197077 CEST	63153	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:53:09.862863064 CEST	53	63153	8.8.8.8	192.168.2.4
Jul 20, 2021 20:53:10.907741070 CEST	52991	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:53:10.919694901 CEST	53	52991	8.8.8.8	192.168.2.4
Jul 20, 2021 20:53:11.797177076 CEST	53700	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:53:11.810538054 CEST	53	53700	8.8.8.8	192.168.2.4
Jul 20, 2021 20:53:13.011362076 CEST	51726	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:53:13.025382042 CEST	53	51726	8.8.8.8	192.168.2.4
Jul 20, 2021 20:53:14.257255077 CEST	56794	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:53:14.269445896 CEST	53	56794	8.8.8.8	192.168.2.4
Jul 20, 2021 20:53:15.828495026 CEST	56534	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:53:15.841645956 CEST	53	56534	8.8.8.8	192.168.2.4
Jul 20, 2021 20:53:16.653623104 CEST	56627	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:53:16.666963100 CEST	53	56627	8.8.8.8	192.168.2.4
Jul 20, 2021 20:53:17.577039003 CEST	56621	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:53:17.589631081 CEST	53	56621	8.8.8.8	192.168.2.4
Jul 20, 2021 20:53:18.619400024 CEST	63116	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:53:18.632201910 CEST	53	63116	8.8.8.8	192.168.2.4
Jul 20, 2021 20:53:19.440938950 CEST	64078	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:53:19.456465960 CEST	53	64078	8.8.8.8	192.168.2.4
Jul 20, 2021 20:53:22.020378113 CEST	64801	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:53:22.033862114 CEST	53	64801	8.8.8.8	192.168.2.4
Jul 20, 2021 20:53:35.628530025 CEST	61721	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:53:35.642158985 CEST	53	61721	8.8.8.8	192.168.2.4
Jul 20, 2021 20:53:55.819211006 CEST	51255	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:53:55.838304043 CEST	53	51255	8.8.8.8	192.168.2.4
Jul 20, 2021 20:54:01.942260981 CEST	61522	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:54:02.094908953 CEST	53	61522	8.8.8.8	192.168.2.4
Jul 20, 2021 20:54:02.686131954 CEST	52337	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:54:02.751868963 CEST	53	52337	8.8.8.8	192.168.2.4
Jul 20, 2021 20:54:03.390436888 CEST	55046	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:54:03.423921108 CEST	53	55046	8.8.8.8	192.168.2.4
Jul 20, 2021 20:54:04.131932020 CEST	49612	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:54:04.214224100 CEST	53	49612	8.8.8.8	192.168.2.4
Jul 20, 2021 20:54:04.877422094 CEST	49285	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:54:04.891092062 CEST	53	49285	8.8.8.8	192.168.2.4
Jul 20, 2021 20:54:06.353360891 CEST	50601	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:54:06.449522018 CEST	53	50601	8.8.8.8	192.168.2.4
Jul 20, 2021 20:54:07.285285950 CEST	60875	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:54:07.299464941 CEST	53	60875	8.8.8.8	192.168.2.4
Jul 20, 2021 20:54:08.452699900 CEST	56448	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:54:08.465725899 CEST	53	56448	8.8.8.8	192.168.2.4
Jul 20, 2021 20:54:09.744180918 CEST	59172	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:54:09.757294893 CEST	53	59172	8.8.8.8	192.168.2.4
Jul 20, 2021 20:54:11.563493013 CEST	62420	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:54:11.577337980 CEST	53	62420	8.8.8.8	192.168.2.4
Jul 20, 2021 20:54:12.294811010 CEST	60579	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:54:12.307620049 CEST	53	60579	8.8.8.8	192.168.2.4
Jul 20, 2021 20:54:15.604841948 CEST	50183	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:54:15.622859955 CEST	53	50183	8.8.8.8	192.168.2.4
Jul 20, 2021 20:54:45.058250904 CEST	61531	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:54:45.084662914 CEST	53	61531	8.8.8.8	192.168.2.4
Jul 20, 2021 20:54:46.908283949 CEST	49228	53	192.168.2.4	8.8.8.8
Jul 20, 2021 20:54:46.935163975 CEST	53	49228	8.8.8.8	192.168.2.4

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SKGCTMGCarta20210701516374466893343426doc.exe PID: 6916 Parent PID: 5944

General

Start time:	20:53:08
Start date:	20/07/2021
Path:	C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe'
Imagebase:	0x4a0000
File size:	972288 bytes
MD5 hash:	0EB0833449CEC388F8157458FC600691
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6772 Parent PID: 6916

General

Start time:	20:53:41
Start date:	20/07/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sNlYazJXiEQfkP' /XML 'C:\Users\user\AppData\Local\Temp\tmp1ACF.tmp'
Imagebase:	0xb30000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6472 Parent PID: 6772

General

Start time:	20:53:41
Start date:	20/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: MSBuild.exe PID: 6436 Parent PID: 6916

General

Start time:	20:53:42
Start date:	20/07/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x570000
File size:	261728 bytes
MD5 hash:	D621FD77BD585874F9686D3A76462EF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.921988297.0000000006380000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.921988297.0000000006380000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.920719011.0000000005340000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.920719011.0000000005340000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.922004647.0000000006390000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.922004647.0000000006390000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.920503231.0000000005270000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.920503231.0000000005270000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.922224537.00000000064B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.922224537.00000000064B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: NanoCore, Description: unknown, Source: 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.920917334.00000000053A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.920917334.00000000053A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: NanoCore, Description: unknown, Source: 00000009.00000002.918142857.0000000003BC2000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.920788480.0000000005350000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.920788480.0000000005350000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.920890999.0000000005380000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.920890999.0000000005380000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.916279377.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.916279377.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000009.00000002.916279377.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: NanoCore, Description: unknown, Source: 00000009.00000002.917459276.0000000002A0F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.922204860.00000000064A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.922204860.00000000064A0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.921932681.0000000006360000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.921932681.0000000006360000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.917875317.0000000003891000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.918281922.0000000003CD3000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000009.00000002.918281922.0000000003CD3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.920928559.00000000053B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.920928559.00000000053B0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.920939322.00000000053C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.920939322.00000000053C0000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.920939322.00000000053C0000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.921968807.0000000006370000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.921968807.0000000006370000.00000004.00000001.sdmp, Author: Florian Roth Rule: NanoCore, Description: unknown, Source: 00000009.00000002.918165301.0000000003BE8000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: MSBuild.exe PID: 6436 Parent PID: 6916 MSBuild.exeCOMMON

Executed Functions

Function 06841480, Relevance: .5, Instructions: 499COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.922344287.0000000006840000.00000040.00000001.sdmp, Offset: 06830000, based on PE: true

Associated: 00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f9c49a0e46e7cea76f1897a272ea16895ae0f0284ab7c7260dd46cbceb0559b
Instruction ID: 9113c1ec7874798c201155a9628efba112493c7c4abd10300446666d93805bee
Opcode Fuzzy Hash: 7f9c49a0e46e7cea76f1897a272ea16895ae0f0284ab7c7260dd46cbceb0559b
Instruction Fuzzy Hash: 7712BD30E10619CFE764EF74C09967DBBF6EB89304F1981AAE196DB351DB349880CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04D793E8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 04D7962E

Strings

HR, xrefs: 04D7958B
HR, xrefs: 04D79566

Memory Dump Source

Source File: 00000009.00000002.918692368.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: false

Similarity

API ID: HandleModule
String ID: HR$HR
API String ID: 4139908857-4037001784
Opcode ID: 069a24d0ec2fb270702f2e2d245239ba94de4a419ba669066bcb602fa9adf0a3
Instruction ID: 6a28284220b45373c7437d05c78111cccae1b2bc1b6401601f7a353426fb371a
Opcode Fuzzy Hash: 069a24d0ec2fb270702f2e2d245239ba94de4a419ba669066bcb602fa9adf0a3
Instruction Fuzzy Hash: 3E7135B1A00B058FE724DF2AD45575AB7F1FF88218F108A6DE58AD7A50E734F806CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04D7DA04, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04D7FD0A

Memory Dump Source

Source File: 00000009.00000002.918692368.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4d9d0284410ecd9fb94cc0c0fade355d80bd1b5751bbe7f34549c678cb164e45
Instruction ID: 18d6dddb23a33b772d10821135a69e920fa2ccae3895c2f2313c7ec8ec74d2e3
Opcode Fuzzy Hash: 4d9d0284410ecd9fb94cc0c0fade355d80bd1b5751bbe7f34549c678cb164e45
Instruction Fuzzy Hash: 145190B1D00309DFDB24CFA9D884ADEBBB5FF48314F24852AE819AB214D774A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04D7FE03, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,04D7FE28,?,?,?,?), ref: 04D7FE9D

Memory Dump Source

Source File: 00000009.00000002.918692368.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: de570a3cba3fb720acc8f24c453c24d970c8eea8fd33e072ab5d52ff9610cdef
Instruction ID: bc189f243139e17971932bed5700439c144512db73ec885ba610bd881f6dbcd4
Opcode Fuzzy Hash: de570a3cba3fb720acc8f24c453c24d970c8eea8fd33e072ab5d52ff9610cdef
Instruction Fuzzy Hash: CA2155B1804248DFDB11CFA9E488BDABFF4EB49314F05844AE854AB262D735A905CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04D7A14C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04D7BCC6,?,?,?,?,?), ref: 04D7BD87

Memory Dump Source

Source File: 00000009.00000002.918692368.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d25c82c83314b9187b0961da544167e5457661a3579bc1e26e259e8c30c893dc
Instruction ID: 47960f048f46e2f7a610559c92493592f2f15bbf7aaa8f50caa85ac88dacd29c
Opcode Fuzzy Hash: d25c82c83314b9187b0961da544167e5457661a3579bc1e26e259e8c30c893dc
Instruction Fuzzy Hash: 0521E6B5900248AFDB10CF99D884BEEBBF4FB48314F14845AE955A7310D374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04D7BCF9, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04D7BCC6,?,?,?,?,?), ref: 04D7BD87

Memory Dump Source

Source File: 00000009.00000002.918692368.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1e035f0f9521ab12bed970ac0b6d485841c9ef17445a230e53894fd5bd5f6e48
Instruction ID: 30fb9fa1db5e559b01a47a1cb40d90a2a59132def4a1ac56ddf7260e75576491
Opcode Fuzzy Hash: 1e035f0f9521ab12bed970ac0b6d485841c9ef17445a230e53894fd5bd5f6e48
Instruction Fuzzy Hash: EC21F3B5900208DFDB10CFA9D484BEEBBF5FB48324F14841AE919A7350D378AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04D78768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,04D796A9,00000800,00000000,00000000), ref: 04D798BA

Memory Dump Source

Source File: 00000009.00000002.918692368.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: aaf678a7332cf10eec638df4f3836ee40881e7c9bbe75f3320c92d715c637087
Instruction ID: c2e1cd40e1478caf1bf8bd7a3cc5138f97ff69c0f9120fe9eb439bc836fa3c16
Opcode Fuzzy Hash: aaf678a7332cf10eec638df4f3836ee40881e7c9bbe75f3320c92d715c637087
Instruction Fuzzy Hash: DB1103B69042098FEB10CF9AD444BDEFBF4EB48324F04846EE529A7600D378A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04D79849, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,04D796A9,00000800,00000000,00000000), ref: 04D798BA

Memory Dump Source

Source File: 00000009.00000002.918692368.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 40250f2edeb5069969a024c1dadfb686ee73d2b2de3a18902a99139057fff829
Instruction ID: 7c44cf87f3c157e3dba94460643b32178a8d4259dbc01a6b88204f395e7b569e
Opcode Fuzzy Hash: 40250f2edeb5069969a024c1dadfb686ee73d2b2de3a18902a99139057fff829
Instruction Fuzzy Hash: 0311D0B69042098FEB10CF9AD444BDEFBF5AB88324F14846AD529A7600C778A645CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 04D795C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 04D7962E

Memory Dump Source

Source File: 00000009.00000002.918692368.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 271394db82d293c48b970fa7395aaa29bfdbbe8f765233d9d3c4f8014267bdbe
Instruction ID: 57bb1345397c4a4a4c6b3cd69e2fe95217087239d243b28f8ec4c96b26a5ea0d
Opcode Fuzzy Hash: 271394db82d293c48b970fa7395aaa29bfdbbe8f765233d9d3c4f8014267bdbe
Instruction Fuzzy Hash: 8E11F2B6C006498FDB10CF9AD484BDEFBF4EF88324F14856AD429A7610D378A546CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04D7DA3C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,04D7FE28,?,?,?,?), ref: 04D7FE9D

Memory Dump Source

Source File: 00000009.00000002.918692368.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 5f53c8957a546a734f91ffabb7a64c03ca2dc5adeb64bea10e47d421524e436b
Instruction ID: a9c7b01508632e51b3b42777183ddc5218b43cc5f7a4c93b9ac9f9c2fc6a4cc3
Opcode Fuzzy Hash: 5f53c8957a546a734f91ffabb7a64c03ca2dc5adeb64bea10e47d421524e436b
Instruction Fuzzy Hash: D71106B59002499FDB20CF99D484BEFBBF8EB48324F10845AE915A7341D374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 068436E8, Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.922344287.0000000006840000.00000040.00000001.sdmp, Offset: 06830000, based on PE: true

Associated: 00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3470d37262bb1dc168eedda87c5a0d1294d6d4b4365ee663f0ae3a2e1d96de41
Instruction ID: d2e0fc3e035013c5c7f7ffcc050ad24f7353d63457933f58def9f1e93990fa6e
Opcode Fuzzy Hash: 3470d37262bb1dc168eedda87c5a0d1294d6d4b4365ee663f0ae3a2e1d96de41
Instruction Fuzzy Hash: 28A12371E0816EDFD750EB6AC8464BEFBB5AF81304B18817AD469DB242C735D901C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 06840624, Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.922344287.0000000006840000.00000040.00000001.sdmp, Offset: 06830000, based on PE: true

Associated: 00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a96acfde2bfa276a767a1b1fb39498801942304f6ff22f8715aced764041d4b
Instruction ID: 91a103e0d30cd31ef87c69f8a8d530887b553e04187368b64db2538c93defb8c
Opcode Fuzzy Hash: 3a96acfde2bfa276a767a1b1fb39498801942304f6ff22f8715aced764041d4b
Instruction Fuzzy Hash: 1AB16D74A01308DFE7A8DF68D484A6EB7B6FF88314B148469E616DB361DB70EC81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 06843C20, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.922344287.0000000006840000.00000040.00000001.sdmp, Offset: 06830000, based on PE: true

Associated: 00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 899e1ace5a601d0c865df0357e62f12c096fbcce28e45d58d743eec2094af999
Instruction ID: e703e00c506a64d72af44c72c4b7f896fbe5a11ae7e3ba772febc58ebc807b4e
Opcode Fuzzy Hash: 899e1ace5a601d0c865df0357e62f12c096fbcce28e45d58d743eec2094af999
Instruction Fuzzy Hash: 74418170F0421D9FDF99BFBAC41866EB6F6AB88244F10842DE916D7350DA3448418B91

Uniqueness

Uniqueness Score: -1.00%

Function 06843100, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.922344287.0000000006840000.00000040.00000001.sdmp, Offset: 06830000, based on PE: true

Associated: 00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d560db382e9d6b27f86a9e830d3c1982247bc03772371d2c22ffbe0df699e373
Instruction ID: c4c46121b3db68a680a47bc78e072760c368f445e28ffd46ed5afd755c77a9ea
Opcode Fuzzy Hash: d560db382e9d6b27f86a9e830d3c1982247bc03772371d2c22ffbe0df699e373
Instruction Fuzzy Hash: F531AB71D0434CDFEB14DF96D441A9DBBB1FF88318F2085AAE505AB201E772A846CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06843500, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.922344287.0000000006840000.00000040.00000001.sdmp, Offset: 06830000, based on PE: true

Associated: 00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74919bc20e75fd4f88a82d2aed8f0d6f3ca8dd48902c0318759a8b89e862500b
Instruction ID: efe209a39667f24f993adf9cfff5c76c854a4e443fcc8d1a0fc6807c15f79695
Opcode Fuzzy Hash: 74919bc20e75fd4f88a82d2aed8f0d6f3ca8dd48902c0318759a8b89e862500b
Instruction Fuzzy Hash: 6621C275B041189FC7A8BB78D85596E3BF9EF8921531240A9E20ACF362DF30DC01C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E8D4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.916831552.0000000000E8D000.00000040.00000001.sdmp, Offset: 00E8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fad58e50b8953c8f57a7f0cbce2588d11901c519e7b95cd06524a730b4f1758
Instruction ID: 9505cbdbae945764340f36ed4f978e6bede03bfbff44e65505594b4aeb6696b5
Opcode Fuzzy Hash: 6fad58e50b8953c8f57a7f0cbce2588d11901c519e7b95cd06524a730b4f1758
Instruction Fuzzy Hash: BD2133B1508240DFDB01EF44DCC0B26BB61FB88328F24C56AE90D5B286C336E806CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E9D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.916855754.0000000000E9D000.00000040.00000001.sdmp, Offset: 00E9D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 268f43f3086b60edc61dcf851715f5487464d62c940d9cbdfa5ebc5eb89da1bb
Instruction ID: 60d6a50645e6dba987073cc85edd00edea966b9b02b87bf0aefeb2439fcc3d74
Opcode Fuzzy Hash: 268f43f3086b60edc61dcf851715f5487464d62c940d9cbdfa5ebc5eb89da1bb
Instruction Fuzzy Hash: 5F21D071608340DFDF14CF24DCC4B26BBA6FB88328F24C569E94A5B246C33AD847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00E9D005, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.916855754.0000000000E9D000.00000040.00000001.sdmp, Offset: 00E9D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a75c91a18d031b68ee9471f0928deabc533f5eb4af9ccf0c9900a7d8b782b9
Instruction ID: 6f249ca54d9e39575d36bbbcb5df8fe73845b191119d860ec824037bed7ef3a6
Opcode Fuzzy Hash: 83a75c91a18d031b68ee9471f0928deabc533f5eb4af9ccf0c9900a7d8b782b9
Instruction Fuzzy Hash: 4321627550D3C08FDB12CF24D994715BF71EB46314F28C5EAD8498B697C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 06843A08, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.922344287.0000000006840000.00000040.00000001.sdmp, Offset: 06830000, based on PE: true

Associated: 00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad2383ee81706baafbe9bd45485f1c5612c400d209f52438fa82ae1851ed56ec
Instruction ID: 61ab96f109c43fc0783c88a307287970b86c6895e0c8bd9a9946dcec6e790a14
Opcode Fuzzy Hash: ad2383ee81706baafbe9bd45485f1c5612c400d209f52438fa82ae1851ed56ec
Instruction Fuzzy Hash: AB11C235B4460C9FDF90FB699845BAFB7E5EF88654F00843AD20AE7341DA7099058BD1

Uniqueness

Uniqueness Score: -1.00%

Function 06842FD8, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.922344287.0000000006840000.00000040.00000001.sdmp, Offset: 06830000, based on PE: true

Associated: 00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d4d135d43d26c54d001867560c25d527a96d6c1f4eed07d8bd9eb10436a049
Instruction ID: 908b7d884e1e18c6c50c0d3dd8178de1f4a1344f672fa35fd4d4ec0430213ffc
Opcode Fuzzy Hash: 29d4d135d43d26c54d001867560c25d527a96d6c1f4eed07d8bd9eb10436a049
Instruction Fuzzy Hash: 65012B317091589F8324235AE82906ABFE8DB8E51531445BEE14ED7653CA618C06C3F2

Uniqueness

Uniqueness Score: -1.00%

Function 00E8D49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.916831552.0000000000E8D000.00000040.00000001.sdmp, Offset: 00E8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5043b6c2da621b163927777207973572f5b35b4e9aec94d40c3742f4f8286eb8
Instruction ID: 45718798aef6422b8bcb5e0001606e67ee36e115126bcd2770f9d95a6a0f7781
Opcode Fuzzy Hash: 5043b6c2da621b163927777207973572f5b35b4e9aec94d40c3742f4f8286eb8
Instruction Fuzzy Hash: 2D11E976408240CFCF12DF14D9C4B16BF71FB94328F24C5AAD9091B656C336D956CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06840604, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.922344287.0000000006840000.00000040.00000001.sdmp, Offset: 06830000, based on PE: true

Associated: 00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9164f7e7dd6d20e8e334ab6965374e83f56537bb10d8c6c92c46932e451389c
Instruction ID: 5fadc0bbf33feb2ff6b4f7e10c0ed5c450589687064a118171f643b2e65f74c3
Opcode Fuzzy Hash: d9164f7e7dd6d20e8e334ab6965374e83f56537bb10d8c6c92c46932e451389c
Instruction Fuzzy Hash: 6B0104713002255FD794AF29E884B2E77E6EF88714B008429E30ADB360CE71EC458794

Uniqueness

Uniqueness Score: -1.00%

Function 06840E98, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.922344287.0000000006840000.00000040.00000001.sdmp, Offset: 06830000, based on PE: true

Associated: 00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a8eab18955558b8d8dbabd13013d1bf201cadaa84255f71331b50cab3cdbc2
Instruction ID: acd34206a8eac8f54b0f6d4689c1830b0aa1abf25827b2fd95e35aa4d0ede847
Opcode Fuzzy Hash: c7a8eab18955558b8d8dbabd13013d1bf201cadaa84255f71331b50cab3cdbc2
Instruction Fuzzy Hash: B1F0CD113051982BE724737898253BF65CBCFC6A54F18846DE10EEF782DEA8AC0603F6

Uniqueness

Uniqueness Score: -1.00%

Function 06841050, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.922344287.0000000006840000.00000040.00000001.sdmp, Offset: 06830000, based on PE: true

Associated: 00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c335c82c4c968cb03b4703c82163c6f7089d1f1cb31e8a574a90b80173bc4d5
Instruction ID: fff6e2e80aeebe92bef2d4cc644ddcdf6f4ad57f18f179507d0b9491f4440a50
Opcode Fuzzy Hash: 0c335c82c4c968cb03b4703c82163c6f7089d1f1cb31e8a574a90b80173bc4d5
Instruction Fuzzy Hash: D3F0C2113051982BE7243378941537F65CBCFC6654F08846ED50FEB782DD599C0603A6

Uniqueness

Uniqueness Score: -1.00%

Function 06843290, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.922344287.0000000006840000.00000040.00000001.sdmp, Offset: 06830000, based on PE: true

Associated: 00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebcb8a4584c5f898010eda3f04a9dae85ead51795d2a20f531e1f9f427cc84bd
Instruction ID: 6574dac074a4ce851f8baba4c80e8da2101c36150f52c8f46b2d0b345030372b
Opcode Fuzzy Hash: ebcb8a4584c5f898010eda3f04a9dae85ead51795d2a20f531e1f9f427cc84bd
Instruction Fuzzy Hash: 69E04F1075826D6BE7E432EA691A7BE314A1FA544AF15115ACB2BEA780ED808C0107FB

Uniqueness

Uniqueness Score: -1.00%

Function 06840F28, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.922344287.0000000006840000.00000040.00000001.sdmp, Offset: 06830000, based on PE: true

Associated: 00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a810bd41b92030eb39e4ef13b2b919998bbb6800575736bfe33c96d7516da6
Instruction ID: ad367b9620c5301422b1d8a158e0d72cdf8555a6e086108b8e11de009b84e331
Opcode Fuzzy Hash: f6a810bd41b92030eb39e4ef13b2b919998bbb6800575736bfe33c96d7516da6
Instruction Fuzzy Hash: 9BC08C3022D20C9FEF4CEB5A685292B339B53C8704F48C0B1BA0EAA1858AB168008088

Uniqueness

Uniqueness Score: -1.00%

Function 06840634, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.922344287.0000000006840000.00000040.00000001.sdmp, Offset: 06830000, based on PE: true

Associated: 00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b797cbc1a2c78cc6353733647a4d45134a26137c2823fbe28f4aaf95f19b5ff
Instruction ID: 598ebdfb2a3deeda21ef13f61e0f519ede6498b48eb5e968d183209af36efa7e
Opcode Fuzzy Hash: 6b797cbc1a2c78cc6353733647a4d45134a26137c2823fbe28f4aaf95f19b5ff
Instruction Fuzzy Hash: 7EA0020655D2FE4A6AD4726D085A13D2551BE9711C7C1DC879396C1540D90D44644067

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 068342EB, Relevance: 1.1, Instructions: 1060COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp, Offset: 06830000, based on PE: true

Associated: 00000009.00000002.922344287.0000000006840000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce9457e604d4c9c00d0073ba3f9ee1674f963772ea4ed6f652a2b9f6c7ff8090
Instruction ID: 16a2e649a675ae1bca8762c455cfb922da6ca4c3ced9067dfe543fe72308c7fb
Opcode Fuzzy Hash: ce9457e604d4c9c00d0073ba3f9ee1674f963772ea4ed6f652a2b9f6c7ff8090
Instruction Fuzzy Hash: 1C92ED6244E3C19FC7538B708CA56917FB0AE13214B1E86EFC8C4CF4A3E25D995AD762

Uniqueness

Uniqueness Score: -1.00%

Function 068346D3, Relevance: .7, Instructions: 662COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp, Offset: 06830000, based on PE: true

Associated: 00000009.00000002.922344287.0000000006840000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09f1699bf920d4725c6dbf53b3fc8087d7938aa7f42622333059295ac9e7149
Instruction ID: a395d760bcb0f2714c8b5abe8a37022ae7eae89e8c433cb2a04e1ed751041544
Opcode Fuzzy Hash: b09f1699bf920d4725c6dbf53b3fc8087d7938aa7f42622333059295ac9e7149
Instruction Fuzzy Hash: 6752CA6144E3C15FC7538B308CA96927FB0AE13214B1E86EFC8C5CF4A3E6195A1AD762

Uniqueness

Uniqueness Score: -1.00%

Function 04D7E480, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.918692368.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce3febdba3e5911a815f503d90e8a3e9c7a2b43c2cb00de2dc5241f090d1166
Instruction ID: b0dea0d08fd1559a6cdd389ced87bcc993819db419778bf240aa0b84fb9a4dc4
Opcode Fuzzy Hash: 2ce3febdba3e5911a815f503d90e8a3e9c7a2b43c2cb00de2dc5241f090d1166
Instruction Fuzzy Hash: 6412D7F1C937668BE310CF65E8985893F71B781328BD0CA09D261AFAD1D7B4116ACF48

Uniqueness

Uniqueness Score: -1.00%

Function 06833324, Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp, Offset: 06830000, based on PE: true

Associated: 00000009.00000002.922344287.0000000006840000.00000040.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ee0c311f7b38507ac0eb958db4c1590f29ff86374dd378a90cbf6789aa7b962
Instruction ID: eda64b2bdfbdc91a10e31025fba3b7a47fab9c9cd8c8d7c2781dd8cfefebe7d5
Opcode Fuzzy Hash: 2ee0c311f7b38507ac0eb958db4c1590f29ff86374dd378a90cbf6789aa7b962
Instruction Fuzzy Hash: 1BC1202140E3D24FCB13AB388DB9281BFB19E5721471E89DBC4C0CF0A7EA691959C762

Uniqueness

Uniqueness Score: -1.00%

Function 04D7E471, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.918692368.0000000004D70000.00000040.00000001.sdmp, Offset: 04D70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf4811dc1086e7a56bf8a888e5a14e6b1f7ccfa320f9817383319b3db6b9378a
Instruction ID: 1193b8262572d155596ad860961a9aedd3d99992a70f43f76210cadb62a7f40a
Opcode Fuzzy Hash: cf4811dc1086e7a56bf8a888e5a14e6b1f7ccfa320f9817383319b3db6b9378a
Instruction Fuzzy Hash: 49C11AF1C927668BE710DF65E8881893F71BB85328FD18B09D161AF6D0D7B4106ACF58

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SKGCTMGCarta20210701516374466893343426doc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos