Loading ...

Play interactive tourEdit tour

Windows Analysis Report SKGCTMGCarta20210701516374466893343426doc.exe

Overview

General Information

Sample Name:SKGCTMGCarta20210701516374466893343426doc.exe
Analysis ID:451593
MD5:0eb0833449cec388f8157458fc600691
SHA1:63c969feee64e6fe65d289fbbdf6e2c971f8878b
SHA256:945ab6b146dc530e61824b8ccdd396c6c5d84c9537736db859771b1ee2dd93fe
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SKGCTMGCarta20210701516374466893343426doc.exe (PID: 6916 cmdline: 'C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe' MD5: 0EB0833449CEC388F8157458FC600691)
    • schtasks.exe (PID: 6772 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sNlYazJXiEQfkP' /XML 'C:\Users\user\AppData\Local\Temp\tmp1ACF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MSBuild.exe (PID: 6436 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "01f9d977-6605-495e-941a-753d3cd6", "Group": "4Maticross.", "Domain1": "178.170.138.163", "Domain2": "", "Port": 5626, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.921988297.0000000006380000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x39eb:$x1: NanoCore.ClientPluginHost
  • 0x3a24:$x2: IClientNetworkHost
00000009.00000002.921988297.0000000006380000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x39eb:$x2: NanoCore.ClientPluginHost
  • 0x3b36:$s4: PipeCreated
  • 0x3a05:$s5: IClientLoggingHost
00000009.00000002.920719011.0000000005340000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x4bbb:$x1: NanoCore.ClientPluginHost
  • 0x4be5:$x2: IClientNetworkHost
00000009.00000002.920719011.0000000005340000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x4bbb:$x2: NanoCore.ClientPluginHost
  • 0x6a6b:$s4: PipeCreated
00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x5fee:$x1: NanoCore.ClientPluginHost
  • 0x602b:$x2: IClientNetworkHost
Click to see the 37 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
9.2.MSBuild.exe.5270000.20.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
9.2.MSBuild.exe.5270000.20.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
9.2.MSBuild.exe.53b0000.25.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x605:$x1: NanoCore.ClientPluginHost
  • 0x63e:$x2: IClientNetworkHost
9.2.MSBuild.exe.53b0000.25.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x605:$x2: NanoCore.ClientPluginHost
  • 0x720:$s4: PipeCreated
  • 0x61f:$s5: IClientLoggingHost
9.2.MSBuild.exe.3c5b3e6.14.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x170b:$x1: NanoCore.ClientPluginHost
  • 0x1725:$x2: IClientNetworkHost
Click to see the 121 entries

Sigma Overview

AV Detection:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6436, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6436, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

System Summary:

barindex
Sigma detected: Possible Applocker BypassShow sources
Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentCommandLine: 'C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe' , ParentImage: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe, ParentProcessId: 6916, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6436

Stealing of Sensitive Information:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6436, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality:

barindex
Sigma detected: NanoCoreShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 6436, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Found malware configurationShow sources
Source: 00000009.00000002.917875317.0000000003891000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "01f9d977-6605-495e-941a-753d3cd6", "Group": "4Maticross.", "Domain1": "178.170.138.163", "Domain2": "", "Port": 5626, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Multi AV Scanner detection for domain / URLShow sources
Source: 178.170.138.163Virustotal: Detection: 5%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\sNlYazJXiEQfkP.exeReversingLabs: Detection: 19%
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 9.2.MSBuild.exe.38f8a10.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.53c0000.27.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.38f8a10.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.53c4629.26.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.53c0000.27.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.38fd039.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.3cd82b0.15.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.3cdc8d9.16.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.3cd82b0.15.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.3cd347a.17.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000009.00000002.916279377.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.917875317.0000000003891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.918281922.0000000003CD3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.920939322.00000000053C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6436, type: MEMORY
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\sNlYazJXiEQfkP.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: SKGCTMGCarta20210701516374466893343426doc.exeJoe Sandbox ML: detected
Source: 9.2.MSBuild.exe.53c0000.27.unpackAvira: Label: TR/NanoCore.fadte
Source: 9.2.MSBuild.exe.38f8a10.6.unpackAvira: Label: TR/NanoCore.fadte
Source: 9.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
Source: SKGCTMGCarta20210701516374466893343426doc.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: SKGCTMGCarta20210701516374466893343426doc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp

Networking:

barindex
C2 URLs / IPs found in malware configurationShow sources
Source: Malware configuration extractorURLs: 178.170.138.163
Source: Malware configuration extractorURLs:
Source: global trafficTCP traffic: 192.168.2.4:49744 -> 178.170.138.163:5626
Source: Joe Sandbox ViewIP Address: 178.170.138.163 178.170.138.163
Source: Joe Sandbox ViewASN Name: ETOP-ASPL ETOP-ASPL
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 2.22.152.11
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.136
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknownTCP traffic detected without corresponding DNS query: 93.184.221.240
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.136
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.136
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.136
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.136
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.136
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.136
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.136
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: unknownTCP traffic detected without corresponding DNS query: 178.170.138.163
Source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmpString found in binary or memory: http://google.com
Source: SKGCTMGCarta20210701516374466893343426doc.exeString found in binary or memory: http://tempuri.org/SeguridadDS.xsd
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.653877681.0000000005C48000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655184814.0000000005C3C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.650929084.0000000005C4B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.650929084.0000000005C4B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comn
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.652846732.0000000005C3E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnre
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.652846732.0000000005C3E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655184814.0000000005C3C000.00000004.00000001.sdmp, SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmp, SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655959045.0000000005C3A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655959045.0000000005C3A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//-e
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655772497.0000000005C3C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/7
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655184814.0000000005C3C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/G
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/U
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655627410.0000000005C3C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0o
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-e
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655184814.0000000005C3C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/fed
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655959045.0000000005C3A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/iv
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmp, SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655959045.0000000005C3A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/G
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/q
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655184814.0000000005C3C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/str
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/wdthd
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.651828375.0000000005C4B000.00000004.00000001.sdmp, SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.651216772.0000000005C4B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
Source: MSBuild.exe, 00000009.00000002.918281922.0000000003CD3000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 9.2.MSBuild.exe.38f8a10.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.53c0000.27.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.38f8a10.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.53c4629.26.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.53c0000.27.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.38fd039.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.3cd82b0.15.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.3cdc8d9.16.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.3cd82b0.15.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.3cd347a.17.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000009.00000002.916279377.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.917875317.0000000003891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.918281922.0000000003CD3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.920939322.00000000053C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6436, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 9.2.MSBuild.exe.5270000.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.53b0000.25.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3c5b3e6.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.2bd18b0.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.6830000.38.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.6390000.32.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.6380000.31.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.6390000.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3bd7676.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.38f8a10.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.2bc5624.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.53c0000.27.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.53b0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.64a0000.34.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.64b0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3c44187.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3c44187.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.MSBuild.exe.38f8a10.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3bce847.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.53c4629.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.53a0000.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.53a0000.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3c4cfb6.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3c5b3e6.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.5350000.22.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.6370000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.64b4c9f.36.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.53c0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3c4cfb6.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.38fd039.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.5340000.21.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.64b0000.37.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3c44187.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.6360000.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.6380000.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3a50f69.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3cd82b0.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.2bc5624.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.2bc5624.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.MSBuild.exe.64be8a4.35.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.2be5f30.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.2be5f30.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.MSBuild.exe.3bd7676.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.6830000.38.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.5380000.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.5350000.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3a5d19d.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.64a0000.34.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3bce847.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3bce847.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.MSBuild.exe.5340000.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.6370000.30.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3cdc8d9.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3cdc8d9.16.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.MSBuild.exe.3a717ca.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.MSBuild.exe.2bd18b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.2bd18b0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.MSBuild.exe.3cd82b0.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3cd82b0.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.MSBuild.exe.3cd347a.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.MSBuild.exe.3cd347a.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.MSBuild.exe.3a50f69.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.MSBuild.exe.3a5d19d.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.921988297.0000000006380000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.920719011.0000000005340000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.922004647.0000000006390000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.920503231.0000000005270000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.922224537.00000000064B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.920917334.00000000053A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.918142857.0000000003BC2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.920788480.0000000005350000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.920890999.0000000005380000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.916279377.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.916279377.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.917459276.0000000002A0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.922204860.00000000064A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.921932681.0000000006360000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.918281922.0000000003CD3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.920928559.00000000053B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.920939322.00000000053C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.921968807.0000000006370000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.918165301.0000000003BE8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MSBuild.exe PID: 6436, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: MSBuild.exe PID: 6436, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_06841480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_068346D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_068342EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_06833324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_04D7E480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 9_2_04D7E471
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000000.647837069.0000000000590000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAssemblyDefaultAliasAttribu.exe> vs SKGCTMGCarta20210701516374466893343426doc.exe
Source: SKGCTMGCarta20210701516374466893343426doc.exeBinary or memory string: OriginalFilenameAssemblyDefaultAliasAttribu.exe> vs SKGCTMGCarta20210701516374466893343426doc.exe
Source: SKGCTMGCarta20210701516374466893343426doc.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 9.2.MSBuild.exe.5270000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.5270000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.53b0000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.53b0000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3c5b3e6.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3c5b3e6.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.2bd18b0.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.2bd18b0.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.6830000.38.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.6830000.38.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.6390000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.6390000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.6380000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.6380000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.6390000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.6390000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3bd7676.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3bd7676.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.38f8a10.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.38f8a10.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.2bc5624.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.2bc5624.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.53c0000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.53c0000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.53b0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.53b0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.64a0000.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.64a0000.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.64b0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.64b0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3c44187.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3c44187.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3c44187.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.MSBuild.exe.38f8a10.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.38f8a10.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3bce847.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3bce847.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.53c4629.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.53c4629.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.53a0000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.53a0000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.53a0000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.53a0000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3c4cfb6.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3c4cfb6.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3c5b3e6.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3c5b3e6.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.5350000.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.5350000.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.6370000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.6370000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.64b4c9f.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.64b4c9f.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.53c0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.53c0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3c4cfb6.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3c4cfb6.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.38fd039.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.38fd039.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.5340000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.5340000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.64b0000.37.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.64b0000.37.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3c44187.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3c44187.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.6360000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.6360000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.6380000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.6380000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3a50f69.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3a50f69.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3cd82b0.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3cd82b0.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.2bc5624.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.2bc5624.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.2bc5624.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.MSBuild.exe.64be8a4.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.64be8a4.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.2be5f30.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.2be5f30.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.2be5f30.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.MSBuild.exe.3bd7676.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3bd7676.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.6830000.38.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.6830000.38.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.5380000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.5380000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.5350000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.5350000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3a5d19d.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3a5d19d.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.64a0000.34.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.64a0000.34.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3bce847.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3bce847.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3bce847.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.MSBuild.exe.5340000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.5340000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.6370000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.6370000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.3cdc8d9.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3cdc8d9.16.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.MSBuild.exe.3a717ca.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.MSBuild.exe.2bd18b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.2bd18b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.2.MSBuild.exe.2bd18b0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.MSBuild.exe.3cd82b0.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3cd82b0.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.MSBuild.exe.3cd347a.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.MSBuild.exe.3cd347a.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.MSBuild.exe.3a50f69.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.MSBuild.exe.3a5d19d.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.921988297.0000000006380000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.921988297.0000000006380000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.920719011.0000000005340000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.920719011.0000000005340000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.922004647.0000000006390000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.922004647.0000000006390000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.920503231.0000000005270000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.920503231.0000000005270000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.922224537.00000000064B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.922224537.00000000064B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.920917334.00000000053A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.920917334.00000000053A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.918142857.0000000003BC2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.920788480.0000000005350000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.920788480.0000000005350000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.920890999.0000000005380000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.920890999.0000000005380000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.916279377.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.916279377.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.917459276.0000000002A0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.922204860.00000000064A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.922204860.00000000064A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.921932681.0000000006360000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.921932681.0000000006360000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.918281922.0000000003CD3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.920928559.00000000053B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.920928559.00000000053B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.920939322.00000000053C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.920939322.00000000053C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.921968807.0000000006370000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.921968807.0000000006370000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000009.00000002.918165301.0000000003BE8000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: MSBuild.exe PID: 6436, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: MSBuild.exe PID: 6436, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 9.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
Source: 9.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
Source: classification engineClassification label: mal100.troj.evad.winEXE@6/8@0/1
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeFile created: C:\Users\user\AppData\Roaming\sNlYazJXiEQfkP.exeJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{01f9d977-6605-495e-941a-753d3cd6dc0b}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_01
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeMutant created: \Sessions\1\BaseNamedObjects\hyqnCGSIGeFUcA
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1ACF.tmpJump to behavior
Source: SKGCTMGCarta20210701516374466893343426doc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000000.647695218.00000000004A2000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [USUARIO] ([cve_empleado], [nombre], [ape_pat], [ape_mat], [correo], [id_usuario], [fecha_ingreso], [estado], [Bloqueo], [FechaCaducidad], [id_sucursal], [Autorizar], [jefe], [id_depto]) VALUES (@cve_empleado, @nombre, @ape_pat, @ape_mat, @correo, @id_usuario, @fecha_ingreso, @estado, @Bloqueo, @FechaCaducidad, @id_sucursal, @Autorizar, @jefe, @id_depto);
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000000.647695218.00000000004A2000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [PERFILES] ([CveEmpresa], [cve_perfil], [id_sistema]) VALUES (@CveEmpresa, @cve_perfil, @id_sistema);
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000000.647695218.00000000004A2000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [SEG_MAESTRA] ([cve_perfil], [nom_sistema], [modulo], [cve_menu], [cve_submenu], [cve_ssubmenu], [cve_sssubmenu], [menu]) VALUES (@cve_perfil, @nom_sistema, @modulo, @cve_menu, @cve_submenu, @cve_ssubmenu, @cve_sssubmenu, @menu);
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000000.647695218.00000000004A2000.00000002.00020000.sdmpBinary or memory string: UPDATE [PERFILES] SET [CveEmpresa] = @CveEmpresa, [cve_perfil] = @cve_perfil, [id_sistema] = @id_sistema WHERE (([CveEmpresa] = @Original_CveEmpresa) AND ([cve_perfil] = @Original_cve_perfil) AND ([id_sistema] = @Original_id_sistema));
Source: SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000000.647695218.00000000004A2000.00000002.00020000.sdmpBinary or memory string: UPDATE [DEPTO] SET [id_depto] = @id_depto, [nom_depto] = @nom_depto WHERE (([id_depto] = @Original_id_depto) AND ((@IsNull_nom_depto = 1 AND [nom_depto] IS NULL) OR ([nom_depto] = @Original_nom_depto)));
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeFile read: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe 'C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe'
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sNlYazJXiEQfkP' /XML 'C:\Users\user\AppData\Local\Temp\tmp1ACF.tmp'
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sNlYazJXiEQfkP' /XML 'C:\Users\user\AppData\Local\Temp\tmp1ACF.tmp'
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: SKGCTMGCarta20210701516374466893343426doc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SKGCTMGCarta20210701516374466893343426doc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpackerShow sources
Source: 9.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 9.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: initial sampleStatic PE information: section name: .text entropy: 7.34236226121
Source: initial sampleStatic PE information: section name: .text entropy: 7.34236226121
Source: 9.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 9.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeFile created: C:\Users\user\AppData\Roaming\sNlYazJXiEQfkP.exeJump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sNlYazJXiEQfkP' /XML 'C:\Users\user\AppData\Local\Temp\tmp1ACF.tmp'
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 2255
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 7382
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: foregroundWindowGot 607
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe TID: 6920Thread sleep time: -54519s >= -30000s
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe TID: 6968Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6664Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeThread delayed: delay time: 54519
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
Source: MSBuild.exe, 00000009.00000002.922026486.00000000063A0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: MSBuild.exe, 00000009.00000002.922026486.00000000063A0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: MSBuild.exe, 00000009.00000002.922026486.00000000063A0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: MSBuild.exe, 00000009.00000003.779609147.0000000000D45000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MSBuild.exe, 00000009.00000002.922026486.00000000063A0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information queried: ProcessInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: Debug
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeMemory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
Writes to foreign memory regionsShow sources
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 420000
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 422000
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6AE008
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sNlYazJXiEQfkP' /XML 'C:\Users\user\AppData\Local\Temp\tmp1ACF.tmp'
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: MSBuild.exe, 00000009.00000002.917823419.0000000002CF0000.00000004.00000001.sdmpBinary or memory string: Program Manager
Source: MSBuild.exe, 00000009.00000002.916937385.0000000001250000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: MSBuild.exe, 00000009.00000002.916937385.0000000001250000.00000002.00000001.sdmpBinary or memory string: Progman
Source: MSBuild.exe, 00000009.00000002.921539423.0000000005E7C000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
Source: MSBuild.exe, 00000009.00000002.916937385.0000000001250000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: MSBuild.exe, 00000009.00000002.920987779.0000000005B2C000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager h
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 9.2.MSBuild.exe.38f8a10.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.53c0000.27.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.38f8a10.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.53c4629.26.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.53c0000.27.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.38fd039.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.3cd82b0.15.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.3cdc8d9.16.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.3cd82b0.15.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.3cd347a.17.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000009.00000002.916279377.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.917875317.0000000003891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.918281922.0000000003CD3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.920939322.00000000053C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6436, type: MEMORY

Remote Access Functionality:

barindex
Detected Nanocore RatShow sources
Source: MSBuild.exeString found in binary or memory: NanoCore.ClientPluginHost
Source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: MSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: MSBuild.exe, 00000009.00000002.918281922.0000000003CD3000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RATShow sources
Source: Yara matchFile source: 9.2.MSBuild.exe.38f8a10.6.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.53c0000.27.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.38f8a10.6.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.53c4629.26.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.53c0000.27.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.38fd039.5.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.3cd82b0.15.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.3cdc8d9.16.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.3cd82b0.15.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 9.2.MSBuild.exe.3cd347a.17.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 00000009.00000002.916279377.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.917875317.0000000003891000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.918281922.0000000003CD3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000009.00000002.920939322.00000000053C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6436, type: MEMORY

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection212Masquerading1Input Capture11Security Software Discovery111Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection212NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SKGCTMGCarta20210701516374466893343426doc.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\sNlYazJXiEQfkP.exe100%Joe Sandbox ML
C:\Users\user\AppData\Roaming\sNlYazJXiEQfkP.exe20%ReversingLabsWin32.Trojan.Pwsx

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
9.2.MSBuild.exe.53c0000.27.unpack100%AviraTR/NanoCore.fadteDownload File
9.2.MSBuild.exe.38f8a10.6.unpack100%AviraTR/NanoCore.fadteDownload File
9.2.MSBuild.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
178.170.138.1636%VirustotalBrowse
178.170.138.1630%Avira URL Cloudsafe
0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/str0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/U0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/U0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/U0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/U0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/a-e0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/a-e0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/a-e0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/a-e0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/jp/G0%Avira URL Cloudsafe
http://www.founder.com.cn/cnre0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/G0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/G0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/G0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://tempuri.org/SeguridadDS.xsd0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/70%URL Reputationsafe
http://www.jiyu-kobo.co.jp/70%URL Reputationsafe
http://www.jiyu-kobo.co.jp/70%URL Reputationsafe
http://www.jiyu-kobo.co.jp/wdthd0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/Y0o0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/q0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/q0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/q0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/iv0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.founder.com.cn/cnt0%URL Reputationsafe
http://www.founder.com.cn/cnt0%URL Reputationsafe
http://www.founder.com.cn/cnt0%URL Reputationsafe
http://www.fonts.comn0%URL Reputationsafe
http://www.fonts.comn0%URL Reputationsafe
http://www.fonts.comn0%URL Reputationsafe
http://www.carterandcone.como.0%URL Reputationsafe
http://www.carterandcone.como.0%URL Reputationsafe
http://www.carterandcone.como.0%URL Reputationsafe
http://www.jiyu-kobo.co.jp//-e0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/fed0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
178.170.138.163true
  • 6%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
true
  • Avira URL Cloud: safe
low

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.jiyu-kobo.co.jp/strSKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655184814.0000000005C3C000.00000004.00000001.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.apache.org/licenses/LICENSE-2.0SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.653877681.0000000005C48000.00000004.00000001.sdmpfalse
    high
    http://www.jiyu-kobo.co.jp/USKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    unknown
    http://www.jiyu-kobo.co.jp/a-eSKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    unknown
    http://www.jiyu-kobo.co.jp/jp/GSKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    http://www.founder.com.cn/cnreSKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.652846732.0000000005C3E000.00000004.00000001.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    http://www.jiyu-kobo.co.jp/GSKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655184814.0000000005C3C000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    unknown
    http://www.tiro.comSKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.651828375.0000000005C4B000.00000004.00000001.sdmp, SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.651216772.0000000005C4B000.00000004.00000001.sdmpfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    unknown
    http://tempuri.org/SeguridadDS.xsdSKGCTMGCarta20210701516374466893343426doc.exefalse
    • Avira URL Cloud: safe
    unknown
    http://google.comMSBuild.exe, 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmpfalse
      high
      http://www.jiyu-kobo.co.jp/jp/SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmp, SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655959045.0000000005C3A000.00000004.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      unknown
      http://www.jiyu-kobo.co.jp/7SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655772497.0000000005C3C000.00000004.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      unknown
      http://www.jiyu-kobo.co.jp/wdthdSKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://www.jiyu-kobo.co.jp/Y0oSKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655627410.0000000005C3C000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://www.jiyu-kobo.co.jp/qSKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      unknown
      http://www.jiyu-kobo.co.jp/ivSKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655959045.0000000005C3A000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://www.jiyu-kobo.co.jp/SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655184814.0000000005C3C000.00000004.00000001.sdmp, SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655346202.0000000005C39000.00000004.00000001.sdmp, SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655959045.0000000005C3A000.00000004.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      unknown
      http://www.founder.com.cn/cntSKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.652846732.0000000005C3E000.00000004.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      unknown
      http://www.fonts.comnSKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.650929084.0000000005C4B000.00000004.00000001.sdmpfalse
      • URL Reputation: safe
      • URL Reputation: safe
      • URL Reputation: safe
      unknown
      http://www.fonts.comSKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.650929084.0000000005C4B000.00000004.00000001.sdmpfalse
        high
        http://www.carterandcone.como.SKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655184814.0000000005C3C000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        unknown
        http://www.jiyu-kobo.co.jp//-eSKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655959045.0000000005C3A000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://www.jiyu-kobo.co.jp/fedSKGCTMGCarta20210701516374466893343426doc.exe, 00000000.00000003.655184814.0000000005C3C000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        unknown

        Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public

        IPDomainCountryFlagASNASN NameMalicious
        178.170.138.163
        unknownNetherlands
        20853ETOP-ASPLtrue

        General Information

        Joe Sandbox Version:33.0.0 White Diamond
        Analysis ID:451593
        Start date:20.07.2021
        Start time:20:52:21
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 9m 41s
        Hypervisor based Inspection enabled:false
        Report type:light
        Sample file name:SKGCTMGCarta20210701516374466893343426doc.exe
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:19
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@6/8@0/1
        EGA Information:Failed
        HDC Information:Failed
        HCA Information:
        • Successful, ratio: 83%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        • Found application associated with file extension: .exe
        Warnings:
        Show All
        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
        • TCP Packets have been reduced to 100
        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
        • Excluded IPs from analysis (whitelisted): 168.61.161.212, 23.54.113.53, 104.43.139.144, 104.42.151.234, 52.255.188.83, 20.50.102.62, 23.0.174.200, 23.0.174.185, 20.54.110.249, 40.112.88.60, 23.10.249.26, 23.10.249.43, 20.82.210.154
        • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        20:53:39API Interceptor2x Sleep call for process: SKGCTMGCarta20210701516374466893343426doc.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        178.170.138.163SKCTMG_Carta_20210707_16374466893343426doc.exeGet hashmaliciousBrowse
          #U0639#U0631#U0636 #U0627#U0644#U0645#U0646#U062a#U062c Stomanas_SKCGM_63746352021doc.exeGet hashmaliciousBrowse
            Documento de transferencia de Scotiabank7497574730084doc.exeGet hashmaliciousBrowse
              Documento de transferencia de Scotiabank749757473008422doc.exeGet hashmaliciousBrowse
                Documento relativo al carico e alla spedizione del cliente_italy2020.exeGet hashmaliciousBrowse
                  Sitech#U4ea7#U54c1#U54a8#U8be2#U89c4#U8303754378y9986456Taiwan2020.exeGet hashmaliciousBrowse
                    Detalles de la descripci#U00f3n de la oferta del producto.exeGet hashmaliciousBrowse
                      Detalles de la descripci#U00f3n de la oferta del producto.exeGet hashmaliciousBrowse
                        Documentos internos de transferencia de dinero Banco Santader.exeGet hashmaliciousBrowse
                          Documentos internos de transferencia de dinero Banco Santader.exeGet hashmaliciousBrowse
                            Albawardi Group Project offer description 678467463756382020.exeGet hashmaliciousBrowse
                              Opis proizvoda prema kvaliteti i modelima2020.exeGet hashmaliciousBrowse
                                Opis proizvoda prema kvaliteti i modelima2020.exeGet hashmaliciousBrowse
                                  Documentos de pago bancario 36587634 Bisa2020.exeGet hashmaliciousBrowse
                                    Beschrijving van productaanbiedingcWbZN52020.exeGet hashmaliciousBrowse
                                      Descri#U00e7#U00e3o da oferta do produto 873564635640rden2020.exeGet hashmaliciousBrowse
                                        Descri#U00e7#U00e3o da oferta do produto 873564635640rden2020.exeGet hashmaliciousBrowse
                                          BIDAKIS DOO PONUDA PROIZVODA.exeGet hashmaliciousBrowse
                                            DocumentoNota Cobran#U00e7a IMI (FFPT-2019223912003).exeGet hashmaliciousBrowse
                                              DocumentoNota Cobran#U00e7a IMI (FFPT-2019223912003).exeGet hashmaliciousBrowse

                                                Domains

                                                No context

                                                ASN

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                ETOP-ASPLv6clgzEGCbGet hashmaliciousBrowse
                                                • 194.87.61.219
                                                SKCTMG_Carta_20210707_16374466893343426doc.exeGet hashmaliciousBrowse
                                                • 178.170.138.163
                                                #U0639#U0631#U0636 #U0627#U0644#U0645#U0646#U062a#U062c Stomanas_SKCGM_63746352021doc.exeGet hashmaliciousBrowse
                                                • 178.170.138.163
                                                DEBT_06032021_727093524.xlsmGet hashmaliciousBrowse
                                                • 217.147.172.75
                                                DEBT_06032021_727093524.xlsmGet hashmaliciousBrowse
                                                • 217.147.172.75
                                                p8Wo6PbOjL.exeGet hashmaliciousBrowse
                                                • 194.87.248.186
                                                DEBT_06032021_1841965006.xlsmGet hashmaliciousBrowse
                                                • 217.147.172.75
                                                DEBT_06032021_1841965006.xlsmGet hashmaliciousBrowse
                                                • 217.147.172.75
                                                21305177357_05272021.xlsmGet hashmaliciousBrowse
                                                • 217.147.172.75
                                                21305177357_05272021.xlsmGet hashmaliciousBrowse
                                                • 217.147.172.75
                                                21881755902_05272021.xlsmGet hashmaliciousBrowse
                                                • 217.147.172.75
                                                21881755902_05272021.xlsmGet hashmaliciousBrowse
                                                • 217.147.172.75
                                                SecuriteInfo.com.Downloader-FCEIFE04EE03A3CA.23702.xlsxGet hashmaliciousBrowse
                                                • 217.147.172.65
                                                SecuriteInfo.com.Downloader-FCEIFE04EE03A3CA.23702.xlsxGet hashmaliciousBrowse
                                                • 217.147.172.65
                                                SecuriteInfo.com.Heur.18790.xlsxGet hashmaliciousBrowse
                                                • 217.147.172.65
                                                SecuriteInfo.com.Heur.18790.xlsxGet hashmaliciousBrowse
                                                • 217.147.172.65
                                                21975030260_05262021.xlsmGet hashmaliciousBrowse
                                                • 217.147.172.65
                                                21975030260_05262021.xlsmGet hashmaliciousBrowse
                                                • 217.147.172.65
                                                LGZCUIMYwQ.exeGet hashmaliciousBrowse
                                                • 178.170.138.116
                                                Smart wireless request.xlsbGet hashmaliciousBrowse
                                                • 178.170.138.116

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SKGCTMGCarta20210701516374466893343426doc.exe.log
                                                Process:C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):1594
                                                Entropy (8bit):5.336334182031907
                                                Encrypted:false
                                                SSDEEP:48:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHKzvFHsAmHK2HKSHKKHKs:lrq5qXEwCYqhQnoPtIxHeqzNM/q2qSqY
                                                MD5:B9E8D9BC061D6715808BB3A28CECBA2B
                                                SHA1:6F18CD63C12AEC962D089F215658FD5BE1789BC3
                                                SHA-256:716E082F23E093EBCA2C8F994745CC7D62457D7359BBE555B75E275CE8EEEDC7
                                                SHA-512:6D97D3E34CBCC5C0CCF845E285F98DE1824A825AB1D306D20ED164B0B74270CED9AB694E40831EC796E9F823BB4E369166006E555D7BBD000A33A0FDA601F806
                                                Malicious:true
                                                Reputation:moderate, very likely benign file
                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                C:\Users\user\AppData\Local\Temp\tmp1ACF.tmp
                                                Process:C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1647
                                                Entropy (8bit):5.1946234784418746
                                                Encrypted:false
                                                SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGntn:cbhK79lNQR/rydbz9I3YODOLNdq3i
                                                MD5:8C8CC3C796621F14169BD093EA6818F4
                                                SHA1:3B3888BFFD6FC587368AADF30AB6CCAB6724A306
                                                SHA-256:CF099569F34DBAFE264CE066E5685D9FF0FB391813DBB88F5460808F0936F01E
                                                SHA-512:5BC2AB27CAC294C49159A0CE67E8011CA6E0695B51D0B34E9F956C751F4A812F003458499D5EC0AD12551BB2B797CA309A2C5FE127848923E9E94635445BB8B1
                                                Malicious:true
                                                Reputation:low
                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):232
                                                Entropy (8bit):7.024371743172393
                                                Encrypted:false
                                                SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                                                MD5:32D0AAE13696FF7F8AF33B2D22451028
                                                SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                                                SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                                                SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                File Type:MPEG-4 LOAS
                                                Category:dropped
                                                Size (bytes):8
                                                Entropy (8bit):3.0
                                                Encrypted:false
                                                SSDEEP:3:5P8t:98t
                                                MD5:884356AE811E6EC35EC71E122ADD3089
                                                SHA1:9346B3622B8A7DFCF2A6923688DD29D4D141D23B
                                                SHA-256:127F0042509D516159135C721EF6096155D1FECB47E0F7804799BBAA20788394
                                                SHA-512:5F8386D2FD81492551B6AB9D9813711AD739FF9CEC0037ACD96FFE1BF0E9DEC47EFD29BFA3C871BEECC9D6B9CDF13FB311E806522AD491C18DDAB6D3D6ACE34D
                                                Malicious:true
                                                Reputation:low
                                                Preview: V.{..K.H
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):40
                                                Entropy (8bit):5.153055907333276
                                                Encrypted:false
                                                SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                                MD5:4E5E92E2369688041CC82EF9650EDED2
                                                SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                                SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                                SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                                Malicious:false
                                                Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):327432
                                                Entropy (8bit):7.99938831605763
                                                Encrypted:true
                                                SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                                MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                                SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                                SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                                SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                                Malicious:false
                                                Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                                C:\Users\user\AppData\Roaming\sNlYazJXiEQfkP.exe
                                                Process:C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):972288
                                                Entropy (8bit):7.334276939082949
                                                Encrypted:false
                                                SSDEEP:24576:wgpLmQvDB9Ep2nb+B8NJar5e/A82vMfjYOk:XJbTN8r8FOGS
                                                MD5:0EB0833449CEC388F8157458FC600691
                                                SHA1:63C969FEEE64E6FE65D289FBBDF6E2C971F8878B
                                                SHA-256:945AB6B146DC530E61824B8CCDD396C6C5D84C9537736DB859771B1EE2DD93FE
                                                SHA-512:EE4AE72DEFE8E6E163523FE9175911AF7EEE9FDF2EF086C16F699B51D08D98EBD9104D3FC6310922F7B729850F878C595319D2E89629C4AF798C267DAB28F1C7
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 20%
                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.............v.... ........@.. .......................@............@.................................$...O.......$.................... ....................................................... ............... ..H............text...|.... ...................... ..`.rsrc...$...........................@..@.reloc....... ......................@..B................X.......H.......(...$...........L....]...........................................0............(1...(2.........(.....o3....*.....................(4......(5......(6......(7......(8....*N..(....o....(9....*&..(:....*.s;........s<........s=........s>........s?........*....0...........~....o@....+..*.0...........~....oA....+..*.0...........~....oB....+..*.0...........~....oC....+..*.0...........~....oD....+..*&..(E....*...0..<........~.....(F.....,!r...p.....(G...oH...sI............~.....
                                                C:\Users\user\AppData\Roaming\sNlYazJXiEQfkP.exe:Zone.Identifier
                                                Process:C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:true
                                                Preview: [ZoneTransfer]....ZoneId=0

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.334276939082949
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Windows Screen Saver (13104/52) 0.07%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                File name:SKGCTMGCarta20210701516374466893343426doc.exe
                                                File size:972288
                                                MD5:0eb0833449cec388f8157458fc600691
                                                SHA1:63c969feee64e6fe65d289fbbdf6e2c971f8878b
                                                SHA256:945ab6b146dc530e61824b8ccdd396c6c5d84c9537736db859771b1ee2dd93fe
                                                SHA512:ee4ae72defe8e6e163523fe9175911af7eee9fdf2ef086c16f699b51d08d98ebd9104d3fc6310922f7b729850f878c595319d2e89629c4af798c267dab28f1c7
                                                SSDEEP:24576:wgpLmQvDB9Ep2nb+B8NJar5e/A82vMfjYOk:XJbTN8r8FOGS
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.............v.... ........@.. .......................@............@................................

                                                File Icon

                                                Icon Hash:00828e8e8686b000

                                                Static PE Info

                                                General

                                                Entrypoint:0x4ee876
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0x60F70F88 [Tue Jul 20 18:01:44 2021 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:v4.0.30319
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xee8240x4f.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xf00000x624.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xf20000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000xec87c0xeca00False0.651589532158data7.34236226121IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rsrc0xf00000x6240x800False0.3330078125data3.46462032748IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0xf20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_VERSION0xf00900x394data
                                                RT_MANIFEST0xf04340x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Version Infos

                                                DescriptionData
                                                Translation0x0000 0x04b0
                                                LegalCopyrightCopyright 2016 - 2021
                                                Assembly Version1.0.0.0
                                                InternalNameAssemblyDefaultAliasAttribu.exe
                                                FileVersion1.0.0.0
                                                CompanyNameX SAW
                                                LegalTrademarks
                                                Comments
                                                ProductNameFountain Marks
                                                ProductVersion1.0.0.0
                                                FileDescriptionFountain Marks
                                                OriginalFilenameAssemblyDefaultAliasAttribu.exe

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jul 20, 2021 20:53:49.791016102 CEST497445626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:53:52.792041063 CEST497445626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:53:55.524904013 CEST804968493.184.221.240192.168.2.4
                                                Jul 20, 2021 20:53:55.525307894 CEST4968480192.168.2.493.184.221.240
                                                Jul 20, 2021 20:53:57.614537001 CEST804968593.184.220.29192.168.2.4
                                                Jul 20, 2021 20:53:57.614751101 CEST4968580192.168.2.493.184.220.29
                                                Jul 20, 2021 20:53:58.141104937 CEST804970793.184.220.29192.168.2.4
                                                Jul 20, 2021 20:53:58.141252041 CEST4970780192.168.2.493.184.220.29
                                                Jul 20, 2021 20:53:58.428544998 CEST804969893.184.220.29192.168.2.4
                                                Jul 20, 2021 20:53:58.428674936 CEST4969880192.168.2.493.184.220.29
                                                Jul 20, 2021 20:53:58.792886972 CEST497445626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:53:59.280232906 CEST49711443192.168.2.42.22.152.11
                                                Jul 20, 2021 20:53:59.280491114 CEST4971480192.168.2.493.184.220.29
                                                Jul 20, 2021 20:53:59.623955965 CEST804970693.184.220.29192.168.2.4
                                                Jul 20, 2021 20:53:59.627317905 CEST4970680192.168.2.493.184.220.29
                                                Jul 20, 2021 20:54:01.316149950 CEST49716443192.168.2.4204.79.197.200
                                                Jul 20, 2021 20:54:01.316797972 CEST49717443192.168.2.4204.79.197.200
                                                Jul 20, 2021 20:54:06.795619965 CEST497525626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:09.809037924 CEST497525626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:15.966793060 CEST497525626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:23.374228954 CEST497635626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:26.389138937 CEST497635626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:32.404723883 CEST497635626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:39.938142061 CEST497645626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:42.952441931 CEST497645626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:45.250031948 CEST49683443192.168.2.440.126.31.136
                                                Jul 20, 2021 20:54:45.250032902 CEST4968580192.168.2.493.184.220.29
                                                Jul 20, 2021 20:54:45.250073910 CEST4968480192.168.2.493.184.221.240
                                                Jul 20, 2021 20:54:45.265918016 CEST804968593.184.220.29192.168.2.4
                                                Jul 20, 2021 20:54:45.265949011 CEST804968493.184.221.240192.168.2.4
                                                Jul 20, 2021 20:54:45.266001940 CEST4968580192.168.2.493.184.220.29
                                                Jul 20, 2021 20:54:45.266019106 CEST4968480192.168.2.493.184.221.240
                                                Jul 20, 2021 20:54:45.287282944 CEST4434968340.126.31.136192.168.2.4
                                                Jul 20, 2021 20:54:45.287385941 CEST49683443192.168.2.440.126.31.136
                                                Jul 20, 2021 20:54:47.798296928 CEST49712443192.168.2.440.126.31.136
                                                Jul 20, 2021 20:54:47.798316002 CEST49705443192.168.2.440.126.31.136
                                                Jul 20, 2021 20:54:47.798541069 CEST49715443192.168.2.440.126.31.136
                                                Jul 20, 2021 20:54:47.836118937 CEST4434971240.126.31.136192.168.2.4
                                                Jul 20, 2021 20:54:47.836163044 CEST4434971540.126.31.136192.168.2.4
                                                Jul 20, 2021 20:54:47.836328030 CEST49712443192.168.2.440.126.31.136
                                                Jul 20, 2021 20:54:47.836405993 CEST49715443192.168.2.440.126.31.136
                                                Jul 20, 2021 20:54:47.837521076 CEST4434970540.126.31.136192.168.2.4
                                                Jul 20, 2021 20:54:47.839204073 CEST49705443192.168.2.440.126.31.136
                                                Jul 20, 2021 20:54:48.952941895 CEST497645626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:56.721637964 CEST44349692204.79.197.200192.168.2.4
                                                Jul 20, 2021 20:54:57.894918919 CEST497675626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:57.993505955 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:57.994163990 CEST497675626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:58.052845001 CEST497675626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:58.195569038 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:58.325253010 CEST44349691204.79.197.200192.168.2.4
                                                Jul 20, 2021 20:54:58.812326908 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:58.826364994 CEST497675626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:58.999310970 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:58.999449968 CEST497675626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:59.030936956 CEST44349695204.79.197.200192.168.2.4
                                                Jul 20, 2021 20:54:59.143984079 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.144264936 CEST497675626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:59.285238981 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.288057089 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.289046049 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.289067030 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.289084911 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.289103985 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.289124012 CEST497675626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:59.289124966 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.289211988 CEST497675626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:59.289215088 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.289220095 CEST497675626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:59.289565086 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.289585114 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.289633989 CEST497675626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:59.289761066 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.289841890 CEST497675626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:59.389314890 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.389348984 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.389368057 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.389384985 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.389462948 CEST497675626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:59.389487982 CEST497675626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:59.390346050 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.390372038 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.390391111 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.390408993 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.390424967 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.390774012 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.390816927 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.390839100 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.390856981 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.390903950 CEST497675626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:59.390928984 CEST497675626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:59.390933037 CEST497675626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:59.390937090 CEST497675626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:59.392381907 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.392424107 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.392458916 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.392539024 CEST497675626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:59.392550945 CEST497675626192.168.2.4178.170.138.163
                                                Jul 20, 2021 20:54:59.392571926 CEST562649767178.170.138.163192.168.2.4
                                                Jul 20, 2021 20:54:59.392591953 CEST562649767178.170.138.163192.168.2.4

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jul 20, 2021 20:53:03.080075026 CEST5802853192.168.2.48.8.8.8
                                                Jul 20, 2021 20:53:03.095879078 CEST53580288.8.8.8192.168.2.4
                                                Jul 20, 2021 20:53:03.497672081 CEST5309753192.168.2.48.8.8.8
                                                Jul 20, 2021 20:53:03.518735886 CEST53530978.8.8.8192.168.2.4
                                                Jul 20, 2021 20:53:04.246798038 CEST4925753192.168.2.48.8.8.8
                                                Jul 20, 2021 20:53:04.259433985 CEST53492578.8.8.8192.168.2.4
                                                Jul 20, 2021 20:53:05.161753893 CEST6238953192.168.2.48.8.8.8
                                                Jul 20, 2021 20:53:05.174273968 CEST53623898.8.8.8192.168.2.4
                                                Jul 20, 2021 20:53:06.222085953 CEST4991053192.168.2.48.8.8.8
                                                Jul 20, 2021 20:53:06.234720945 CEST53499108.8.8.8192.168.2.4
                                                Jul 20, 2021 20:53:07.443651915 CEST5585453192.168.2.48.8.8.8
                                                Jul 20, 2021 20:53:07.456856966 CEST53558548.8.8.8192.168.2.4
                                                Jul 20, 2021 20:53:08.769318104 CEST6454953192.168.2.48.8.8.8
                                                Jul 20, 2021 20:53:08.784786940 CEST53645498.8.8.8192.168.2.4
                                                Jul 20, 2021 20:53:09.850197077 CEST6315353192.168.2.48.8.8.8
                                                Jul 20, 2021 20:53:09.862863064 CEST53631538.8.8.8192.168.2.4
                                                Jul 20, 2021 20:53:10.907741070 CEST5299153192.168.2.48.8.8.8
                                                Jul 20, 2021 20:53:10.919694901 CEST53529918.8.8.8192.168.2.4
                                                Jul 20, 2021 20:53:11.797177076 CEST5370053192.168.2.48.8.8.8
                                                Jul 20, 2021 20:53:11.810538054 CEST53537008.8.8.8192.168.2.4
                                                Jul 20, 2021 20:53:13.011362076 CEST5172653192.168.2.48.8.8.8
                                                Jul 20, 2021 20:53:13.025382042 CEST53517268.8.8.8192.168.2.4
                                                Jul 20, 2021 20:53:14.257255077 CEST5679453192.168.2.48.8.8.8
                                                Jul 20, 2021 20:53:14.269445896 CEST53567948.8.8.8192.168.2.4
                                                Jul 20, 2021 20:53:15.828495026 CEST5653453192.168.2.48.8.8.8
                                                Jul 20, 2021 20:53:15.841645956 CEST53565348.8.8.8192.168.2.4
                                                Jul 20, 2021 20:53:16.653623104 CEST5662753192.168.2.48.8.8.8
                                                Jul 20, 2021 20:53:16.666963100 CEST53566278.8.8.8192.168.2.4
                                                Jul 20, 2021 20:53:17.577039003 CEST5662153192.168.2.48.8.8.8
                                                Jul 20, 2021 20:53:17.589631081 CEST53566218.8.8.8192.168.2.4
                                                Jul 20, 2021 20:53:18.619400024 CEST6311653192.168.2.48.8.8.8
                                                Jul 20, 2021 20:53:18.632201910 CEST53631168.8.8.8192.168.2.4
                                                Jul 20, 2021 20:53:19.440938950 CEST6407853192.168.2.48.8.8.8
                                                Jul 20, 2021 20:53:19.456465960 CEST53640788.8.8.8192.168.2.4
                                                Jul 20, 2021 20:53:22.020378113 CEST6480153192.168.2.48.8.8.8
                                                Jul 20, 2021 20:53:22.033862114 CEST53648018.8.8.8192.168.2.4
                                                Jul 20, 2021 20:53:35.628530025 CEST6172153192.168.2.48.8.8.8
                                                Jul 20, 2021 20:53:35.642158985 CEST53617218.8.8.8192.168.2.4
                                                Jul 20, 2021 20:53:55.819211006 CEST5125553192.168.2.48.8.8.8
                                                Jul 20, 2021 20:53:55.838304043 CEST53512558.8.8.8192.168.2.4
                                                Jul 20, 2021 20:54:01.942260981 CEST6152253192.168.2.48.8.8.8
                                                Jul 20, 2021 20:54:02.094908953 CEST53615228.8.8.8192.168.2.4
                                                Jul 20, 2021 20:54:02.686131954 CEST5233753192.168.2.48.8.8.8
                                                Jul 20, 2021 20:54:02.751868963 CEST53523378.8.8.8192.168.2.4
                                                Jul 20, 2021 20:54:03.390436888 CEST5504653192.168.2.48.8.8.8
                                                Jul 20, 2021 20:54:03.423921108 CEST53550468.8.8.8192.168.2.4
                                                Jul 20, 2021 20:54:04.131932020 CEST4961253192.168.2.48.8.8.8
                                                Jul 20, 2021 20:54:04.214224100 CEST53496128.8.8.8192.168.2.4
                                                Jul 20, 2021 20:54:04.877422094 CEST4928553192.168.2.48.8.8.8
                                                Jul 20, 2021 20:54:04.891092062 CEST53492858.8.8.8192.168.2.4
                                                Jul 20, 2021 20:54:06.353360891 CEST5060153192.168.2.48.8.8.8
                                                Jul 20, 2021 20:54:06.449522018 CEST53506018.8.8.8192.168.2.4
                                                Jul 20, 2021 20:54:07.285285950 CEST6087553192.168.2.48.8.8.8
                                                Jul 20, 2021 20:54:07.299464941 CEST53608758.8.8.8192.168.2.4
                                                Jul 20, 2021 20:54:08.452699900 CEST5644853192.168.2.48.8.8.8
                                                Jul 20, 2021 20:54:08.465725899 CEST53564488.8.8.8192.168.2.4
                                                Jul 20, 2021 20:54:09.744180918 CEST5917253192.168.2.48.8.8.8
                                                Jul 20, 2021 20:54:09.757294893 CEST53591728.8.8.8192.168.2.4
                                                Jul 20, 2021 20:54:11.563493013 CEST6242053192.168.2.48.8.8.8
                                                Jul 20, 2021 20:54:11.577337980 CEST53624208.8.8.8192.168.2.4
                                                Jul 20, 2021 20:54:12.294811010 CEST6057953192.168.2.48.8.8.8
                                                Jul 20, 2021 20:54:12.307620049 CEST53605798.8.8.8192.168.2.4
                                                Jul 20, 2021 20:54:15.604841948 CEST5018353192.168.2.48.8.8.8
                                                Jul 20, 2021 20:54:15.622859955 CEST53501838.8.8.8192.168.2.4
                                                Jul 20, 2021 20:54:45.058250904 CEST6153153192.168.2.48.8.8.8
                                                Jul 20, 2021 20:54:45.084662914 CEST53615318.8.8.8192.168.2.4
                                                Jul 20, 2021 20:54:46.908283949 CEST4922853192.168.2.48.8.8.8
                                                Jul 20, 2021 20:54:46.935163975 CEST53492288.8.8.8192.168.2.4

                                                Code Manipulations

                                                Statistics

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Start time:20:53:08
                                                Start date:20/07/2021
                                                Path:C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\Desktop\SKGCTMGCarta20210701516374466893343426doc.exe'
                                                Imagebase:0x4a0000
                                                File size:972288 bytes
                                                MD5 hash:0EB0833449CEC388F8157458FC600691
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Reputation:low

                                                General

                                                Start time:20:53:41
                                                Start date:20/07/2021
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sNlYazJXiEQfkP' /XML 'C:\Users\user\AppData\Local\Temp\tmp1ACF.tmp'
                                                Imagebase:0xb30000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Start time:20:53:41
                                                Start date:20/07/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff724c50000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Start time:20:53:42
                                                Start date:20/07/2021
                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                Imagebase:0x570000
                                                File size:261728 bytes
                                                MD5 hash:D621FD77BD585874F9686D3A76462EF1
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.921988297.0000000006380000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.921988297.0000000006380000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.920719011.0000000005340000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.920719011.0000000005340000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.922327045.0000000006830000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.922004647.0000000006390000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.922004647.0000000006390000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.920503231.0000000005270000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.920503231.0000000005270000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.922224537.00000000064B0000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.922224537.00000000064B0000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.917951704.00000000039A1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.920917334.00000000053A0000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.920917334.00000000053A0000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.918142857.0000000003BC2000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.920788480.0000000005350000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.920788480.0000000005350000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.920890999.0000000005380000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.920890999.0000000005380000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.916279377.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.916279377.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.916279377.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.917459276.0000000002A0F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.922204860.00000000064A0000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.922204860.00000000064A0000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.921932681.0000000006360000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.921932681.0000000006360000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.917875317.0000000003891000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.918281922.0000000003CD3000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.918281922.0000000003CD3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.920928559.00000000053B0000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.920928559.00000000053B0000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.920939322.00000000053C0000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.920939322.00000000053C0000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.920939322.00000000053C0000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.921968807.0000000006370000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.921968807.0000000006370000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.918165301.0000000003BE8000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                Reputation:moderate

                                                Disassembly

                                                Code Analysis

                                                Reset < >