Windows Analysis Report
Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe

Overview

General Information

Sample Name:	Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Analysis ID:	881372
MD5:	d2c96c075741ccd8bed558e39838a59d
SHA1:	09667b1bef10f69697d997a26d9d963dfe4bdeb3
SHA256:	d2a573edc893e24fbf245c4f8f918ec3b4f04fab928f073a24da3cb741d18388
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Detected Nanocore Rat

Antivirus / Scanner detection for submitted sample

Sigma detected: Scheduled temp file as task from temp location

Antivirus detection for dropped file

Sigma detected: Drops script at startup location

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Snort IDS alert for network traffic

Writes to foreign memory regions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Binary is likely a compiled AutoIt script file

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Contains functionality to call native functions

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Drops PE files

Contains functionality to read the PEB

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Creates a start menu entry (Start Menu\Programs\Startup)

PE file contains more sections than normal

Creates a process in suspended mode (likely to inject code)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nanocore RAT, NanoCore	Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.	APT33 The Gorgon Group	https://assets.virustotal.com/reports/2021trends.pdf https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.morphisec.com/syk-crypter-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Signatures

AV Detection

Found malware configuration

Source: 00000007.00000002.421398026.00000000031C1000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "2ad4e32f-c687-4329-b5e5-302ef0e0", "Group": "Default", "Domain1": "nickdns22.duckdns.org", "Domain2": "127.0.0.1", "Port": 1896, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for submitted file

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	ReversingLabs: Detection: 70%
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Virustotal: Detection: 65%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe

Avira: detection malicious, Label: DR/AutoIt.Gen8

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe

ReversingLabs: Detection: 80%

Yara detected Nanocore RAT

Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.59f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MSBuild.exe.4209c8e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MSBuild.exe.420eac4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.59f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.16ecf40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MSBuild.exe.42130ed.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.16ecf40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1196210.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.147e008.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.59f4629.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MSBuild.exe.420eac4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.znytpstdcrwsisx.exe.14568c0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.14183d8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.13db7e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.11c1e50.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.407208526.000000000175C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.409346361.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383770715.00000000013B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.384143061.0000000001195000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382325169.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383002021.00000000014E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382620539.0000000001428000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382379627.0000000001429000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383032344.0000000004FF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.407143398.000000000178F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.407063143.0000000004541000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382518683.0000000001197000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.421398026.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.420789152.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405134959.00000000016ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.409265675.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.407268539.0000000001729000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.387268383.0000000001196000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.634788699.00000000059F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383592412.0000000001419000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405268351.000000000172A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405858359.00000000016BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382557238.00000000013C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383733827.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405433292.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.409440308.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.409174074.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.406996996.0000000001687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405084980.0000000001457000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.409044743.0000000001431000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.382477117.000000000145C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405355044.0000000001687000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.383509738.000000000144C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.421501770.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe PID: 7044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5980, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: znytpstdcrwsisx.exe PID: 5292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5944, type: MEMORYSTR

Uses 32bit PE files

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source:	Binary string: indows\MSBuild.pdbpdbild.pdbs source: MSBuild.exe, 00000001.00000002.630556075.00000000028E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\B\T\BuildResults\bin\Release\TextExtractor.pdb666 source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372161750.0000000001197000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\MSBuild.pdbf source: MSBuild.exe, 00000001.00000002.630556075.00000000028E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.630556075.00000000028E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\Agent\_work\24\s\Win32\Release\junction.pdb source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.366011372.0000000005469000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\exe\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.630556075.00000000028E6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: remoting_desktop.exe.pdb source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr
Source:	Binary string: C:\agent\_work\93\s\Win32\Release Console\autorunsc.pdb source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.366011372.0000000005469000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\B\T\BuildResults\bin\Release\TextExtractor.pdb source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372161750.0000000001197000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000001.00000002.630556075.00000000028E6000.00000004.00000020.00020000.00000000.sdmp

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49699 -> 192.169.69.26:1896
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49700 -> 192.169.69.26:1896
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49701 -> 192.169.69.26:1896
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49705 -> 192.169.69.26:1896
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49706 -> 192.169.69.26:1896
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49707 -> 192.169.69.26:1896
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49711 -> 192.169.69.26:1896
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49712 -> 192.169.69.26:1896
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49713 -> 192.169.69.26:1896
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49717 -> 192.169.69.26:1896
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49718 -> 192.169.69.26:1896
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49719 -> 192.169.69.26:1896

Source: Malware configuration extractor	URLs: nickdns22.duckdns.org
Source: Malware configuration extractor	URLs: 127.0.0.1

Source: Joe Sandbox View	IP Address: 192.169.69.26 192.169.69.26
Source: Joe Sandbox View	IP Address: 192.169.69.26 192.169.69.26

Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 209.197.3.8
Source: unknown	TCP traffic detected without corresponding DNS query: 23.36.225.155
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.88

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: http://citationstyles.org/
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: http://creativecommons.org/licenses/by-sa/3.0/
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.366011372.0000000005469000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab:
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: http://p.yusukekamiyamane.com/
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: http://support.mendeley.com/customer/portal/articles/227955
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sysinternals.com
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.366011372.0000000005469000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sysinternals.comFileVersionLegalCopyright
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: http://www.sysinternals.comFileVersionLegalCopyrightLISTBOXDEL:AllUsersuserComputerscomputerGroupsgr
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.366011372.0000000005469000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.364770823.0000000004CB8000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sysinternals.comWindowPositionSOFTWARE
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.366011372.0000000005469000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sysinternals.comopenConnection
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.366011372.0000000005469000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sysinternals.comopenThe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://citationstyles.org
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxupdate_urlBrowser
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://crashpad.chromium.org/
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://csl.mendeley.com
Source: znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://github.com/Juris-M/citeproc-js
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://github.com/citation-style-language/styles
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ims-na1-stg1.adobelogin.com
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ims-prod06.adobelogin.com
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lcs-cops-dev.adobe.io
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lcs-cops-dev.adobe.iohttps://lcs-cops-stage.adobe.iohttps://lcs-cops.adobe.iohttps://lcs-rob
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lcs-cops-stage.adobe.io
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lcs-cops.adobe.io
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lcs-robs-dev.adobe.io
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lcs-robs-stage.adobe.io
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lcs-robs.adobe.io
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lcs-ulecs-dev.adobe.io
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lcs-ulecs-stage.adobe.io
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lcs-ulecs.adobe.io
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://plasma.kde.org
Source: znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://rrchnm.org/
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://service.elsevier.com/app/answers/detail/a_id/19611/kw/duplicates/supporthub/mendeley/Yes
Source: znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://service.elsevier.com/app/answers/detail/a_id/22094/kw/migrate/supporthub/mendeley/
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://service.elsevier.com/app/contact/supporthub/mendeley?dgcid=Mendeley_Desktop_Help-menu-Contac
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://service.elsevier.com/app/home/supporthub/mendeley/?dgcid=Mendeley_Desktop_Help-menu-FAQ
Source: znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://www.elsevier.com/legal/elsevier-website-terms-and-conditions
Source: znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://www.elsevier.com/legal/privacy-policy
Source: znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://www.gmu.edu/
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guides
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guideshttps://www.mendeley.com
Source: znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://www.mendeley.com/library
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://www.mendeley.com?dgcid=Mendeley_Desktop_Help-menu-website
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://www.sysinternals.comntdllRtlInitUnicodeStringNtOpenDirectoryObjectNtQuerySectionNtQueryDirec
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.virustotal.com/about/terms-of-service%s
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.virustotal.com/en/about/terms-of-service/
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.virustotal.comPOST4e3202fdbe953d628f650229af5b3eb49cd46b2d3bfe5546ae3c5fa48b554e0capikey
Source: znytpstdcrwsisx.exe.0.dr	String found in binary or memory: https://www.zotero.org/

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.364108293.000000000487B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.364108293.000000000487B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000000.361773437.000000000037E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000000.361773437.000000000037E000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: 0SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005B78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C "!CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: znytpstdcrwsisx.exe, 00000006.00000002.411194467.0000000000E9E000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: znytpstdcrwsisx.exe, 00000006.00000002.411194467.0000000000E9E000.00000002.00000001.01000000.00000008.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: znytpstdcrwsisx.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: znytpstdcrwsisx.exe.0.dr	String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_00E17AC1	1_2_00E17AC1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_02918678	1_2_02918678
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_02919278	1_2_02919278
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_029123A0	1_2_029123A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_02912FA8	1_2_02912FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_02913850	1_2_02913850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_0291AD18	1_2_0291AD18
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_0291933F	1_2_0291933F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_02919B20	1_2_02919B20
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_0291306F	1_2_0291306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 4_2_05651DF8	4_2_05651DF8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 4_2_05650708	4_2_05650708
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 7_2_02E423A0	7_2_02E423A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 7_2_02E42FA8	7_2_02E42FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 7_2_02E43850	7_2_02E43850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 7_2_02E4306F	7_2_02E4306F

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_05023012 NtQuerySystemInformation,		1_2_05023012
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_05022FD7 NtQuerySystemInformation,		1_2_05022FD7

Source: 7.2.MSBuild.exe.31e3c74.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.2.MSBuild.exe.31e3c74.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.MSBuild.exe.31e3c74.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.MSBuild.exe.5640000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.MSBuild.exe.5640000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.MSBuild.exe.5640000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.MSBuild.exe.59f0000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.MSBuild.exe.59f0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.MSBuild.exe.59f0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.MSBuild.exe.4209c8e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.2.MSBuild.exe.4209c8e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.MSBuild.exe.4209c8e.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.MSBuild.exe.4209c8e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.3.znytpstdcrwsisx.exe.14568c0.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 6.3.znytpstdcrwsisx.exe.14568c0.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 6.3.znytpstdcrwsisx.exe.14568c0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.3.znytpstdcrwsisx.exe.14568c0.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 7.2.MSBuild.exe.420eac4.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 7.2.MSBuild.exe.420eac4.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 7.2.MSBuild.exe.420eac4.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.MSBuild.exe.59f0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 1.2.MSBuild.exe.59f0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.MSBuild.exe.59f0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 6.3.znytpstdcrwsisx.exe.14568c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)

Source: 7.2.MSBuild.exe.31e3c74.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.MSBuild.exe.31e3c74.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.MSBuild.exe.31e3c74.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.MSBuild.exe.31e3c74.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.3.znytpstdcrwsisx.exe.16ec7f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.MSBuild.exe.5640000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.MSBuild.exe.5640000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.MSBuild.exe.5640000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.MSBuild.exe.5640000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.MSBuild.exe.59f0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.MSBuild.exe.59f0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.MSBuild.exe.59f0000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.MSBuild.exe.59f0000.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.145bb50.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe.1428f48.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 7.2.MSBuild.exe.4209c8e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.MSBuild.exe.4209c8e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.MSBuild.exe.4209c8e.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 7.2.MSBuild.exe.4209c8e.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.MSBuild.exe.4209c8e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.3.znytpstdcrwsisx.exe.14568c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 6.3.znytpstdcrwsisx.exe.14568c0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.znytpstdcrwsisx.exe.14568c0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.znytpstdcrwsisx.exe.14568c0.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CompanyNameCompanyShortNameInternalNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls\VarFileInfo\Translation\../../base/files/file_util_win.ccMakeAbsoluteFilePathDeleteFileAfterRebootDeleteFileEvenIfInUseNtSetInformationFilentdll.dll vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PathVerifiedDatePublisherCompanyDescriptionProductProduct VersionFile VersionMachine TypeBinary VersionOriginal NameInternal NameCopyrightCommentsEntropyMD5SHA1PESHA1PESHA256SHA256IMPVT detectionVT link\RtlNtStatusToDosErrorntdll.dll%c%sAccess denied.ValidThis certificate or one of the certificates in the certificate chain is not time valid.Trust for this certificate or one of the certificates in the certificate chain has been revoked.The certificate or one of the certificates in the certificate chain does not have a valid signature.The certificate or certificate chain is not valid for its proposed usage.The certificate or certificate chain is based on an untrusted root.The revocation status of the certificate or one of the certificates in the certificate chain is unknown.One of the certificates in the chain was issued by a certification authority that the original certificate had certified.One of the certificates has an extension that is not valid.The certificate or one of the certificates in the certificate chain has a policy constraints extension, and one of the issued certificates has a disallowed policy mapping extension or does not have a required issuance policies extension.The certificate or one of the certificates in the certificate chain has a basic constraints extension, and either the certificate cannot be used to issue other certificates, or the chain path length has been exceeded.The certificate or one of the certificates in the certificate chain has a name constraints extension that is not valid.The certificate or one of the certificates in the certificate chain has a name constraints extension that contains unsupported fields.The certificate or one of the certificates in the certificate chain has a name constraints extension and a name constraint is missing for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and there is not a permitted name constraint for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and one of the name choices in the end certificate is explicitly excluded.The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.The end certificate does not have any resultant issuance policies, and one of the issuing certification authority certificates has a policy constraints extension requiring it.The certificate is explicitly distrusted.The certificate does not support a critical extension.The certificate has not been strong signed.., Invalid signature%d.%d.%d.%dn/aProductVersionOriginalFileNameWow64DisableWow64FsRedirectionKernel32.dllIsWow64Processrsaenh.dllmsisip.dllncrypt.dllbcrypt.dllcryptsp.dll vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.378236827.0000000005691000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: J\VarFileInfo\Translation\D:\B\T\Imports\Open\Chrome\Chrome\src\base\file_version_info_win.ccCompanyNameCompanyShortNameInternalNameProductNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.366011372.0000000005469000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PathVerifiedDatePublisherCompanyDescriptionProductProduct VersionFile VersionMachine TypeBinary VersionOriginal NameInternal NameCopyrightCommentsEntropyMD5SHA1PESHA1PESHA256SHA256IMPVT detectionVT link\RtlNtStatusToDosErrorntdll.dll%c%sAccess denied.ValidThis certificate or one of the certificates in the certificate chain is not time valid.Trust for this certificate or one of the certificates in the certificate chain has been revoked.The certificate or one of the certificates in the certificate chain does not have a valid signature.The certificate or certificate chain is not valid for its proposed usage.The certificate or certificate chain is based on an untrusted root.The revocation status of the certificate or one of the certificates in the certificate chain is unknown.One of the certificates in the chain was issued by a certification authority that the original certificate had certified.One of the certificates has an extension that is not valid.The certificate or one of the certificates in the certificate chain has a policy constraints extension, and one of the issued certificates has a disallowed policy mapping extension or does not have a required issuance policies extension.The certificate or one of the certificates in the certificate chain has a basic constraints extension, and either the certificate cannot be used to issue other certificates, or the chain path length has been exceeded.The certificate or one of the certificates in the certificate chain has a name constraints extension that is not valid.The certificate or one of the certificates in the certificate chain has a name constraints extension that contains unsupported fields.The certificate or one of the certificates in the certificate chain has a name constraints extension and a name constraint is missing for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and there is not a permitted name constraint for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and one of the name choices in the end certificate is explicitly excluded.The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.The end certificate does not have any resultant issuance policies, and one of the issuing certification authority certificates has a policy constraints extension requiring it.The certificate is explicitly distrusted.The certificate does not support a critical extension.The certificate has not been strong signed.., Invalid signature%d.%d.%d.%dn/aProductVersionOriginalFileNameWow64DisableWow64FsRedirectionKernel32.dllIsWow64Processrsaenh.dllmsisip.dllncrypt.dllbcrypt.dllcryptsp.dll vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.366011372.0000000005469000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: J\VarFileInfo\Translation\D:\B\T\Imports\Open\Chrome\Chrome\src\base\file_version_info_win.ccCompanyNameCompanyShortNameInternalNameProductNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CompanyNameCompanyShortNameInternalNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls\VarFileInfo\Translation\../../base/files/file_util_win.ccMakeAbsoluteFilePathDeleteFileAfterRebootDeleteFileEvenIfInUseNtSetInformationFilentdll.dll vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PathVerifiedDatePublisherCompanyDescriptionProductProduct VersionFile VersionMachine TypeBinary VersionOriginal NameInternal NameCopyrightCommentsEntropyMD5SHA1PESHA1PESHA256SHA256IMPVT detectionVT link\RtlNtStatusToDosErrorntdll.dll%c%sAccess denied.ValidThis certificate or one of the certificates in the certificate chain is not time valid.Trust for this certificate or one of the certificates in the certificate chain has been revoked.The certificate or one of the certificates in the certificate chain does not have a valid signature.The certificate or certificate chain is not valid for its proposed usage.The certificate or certificate chain is based on an untrusted root.The revocation status of the certificate or one of the certificates in the certificate chain is unknown.One of the certificates in the chain was issued by a certification authority that the original certificate had certified.One of the certificates has an extension that is not valid.The certificate or one of the certificates in the certificate chain has a policy constraints extension, and one of the issued certificates has a disallowed policy mapping extension or does not have a required issuance policies extension.The certificate or one of the certificates in the certificate chain has a basic constraints extension, and either the certificate cannot be used to issue other certificates, or the chain path length has been exceeded.The certificate or one of the certificates in the certificate chain has a name constraints extension that is not valid.The certificate or one of the certificates in the certificate chain has a name constraints extension that contains unsupported fields.The certificate or one of the certificates in the certificate chain has a name constraints extension and a name constraint is missing for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and there is not a permitted name constraint for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and one of the name choices in the end certificate is explicitly excluded.The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.The end certificate does not have any resultant issuance policies, and one of the issuing certification authority certificates has a policy constraints extension requiring it.The certificate is explicitly distrusted.The certificate does not support a critical extension.The certificate has not been strong signed.., Invalid signature%d.%d.%d.%dn/aProductVersionOriginalFileNameWow64DisableWow64FsRedirectionKernel32.dllIsWow64Processrsaenh.dllmsisip.dllncrypt.dllbcrypt.dllcryptsp.dll vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.365309489.0000000004823000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: J\VarFileInfo\Translation\D:\B\T\Imports\Open\Chrome\Chrome\src\base\file_version_info_win.ccCompanyNameCompanyShortNameInternalNameProductNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.366011372.000000000542E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CompanyNameCompanyShortNameInternalNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls\VarFileInfo\Translation\../../base/files/file_util_win.ccMakeAbsoluteFilePathDeleteFileAfterRebootDeleteFileEvenIfInUseNtSetInformationFilentdll.dll vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PathVerifiedDatePublisherCompanyDescriptionProductProduct VersionFile VersionMachine TypeBinary VersionOriginal NameInternal NameCopyrightCommentsEntropyMD5SHA1PESHA1PESHA256SHA256IMPVT detectionVT link\RtlNtStatusToDosErrorntdll.dll%c%sAccess denied.ValidThis certificate or one of the certificates in the certificate chain is not time valid.Trust for this certificate or one of the certificates in the certificate chain has been revoked.The certificate or one of the certificates in the certificate chain does not have a valid signature.The certificate or certificate chain is not valid for its proposed usage.The certificate or certificate chain is based on an untrusted root.The revocation status of the certificate or one of the certificates in the certificate chain is unknown.One of the certificates in the chain was issued by a certification authority that the original certificate had certified.One of the certificates has an extension that is not valid.The certificate or one of the certificates in the certificate chain has a policy constraints extension, and one of the issued certificates has a disallowed policy mapping extension or does not have a required issuance policies extension.The certificate or one of the certificates in the certificate chain has a basic constraints extension, and either the certificate cannot be used to issue other certificates, or the chain path length has been exceeded.The certificate or one of the certificates in the certificate chain has a name constraints extension that is not valid.The certificate or one of the certificates in the certificate chain has a name constraints extension that contains unsupported fields.The certificate or one of the certificates in the certificate chain has a name constraints extension and a name constraint is missing for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and there is not a permitted name constraint for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and one of the name choices in the end certificate is explicitly excluded.The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.The end certificate does not have any resultant issuance policies, and one of the issuing certification authority certificates has a policy constraints extension requiring it.The certificate is explicitly distrusted.The certificate does not support a critical extension.The certificate has not been strong signed.., Invalid signature%d.%d.%d.%dn/aProductVersionOriginalFileNameWow64DisableWow64FsRedirectionKernel32.dllIsWow64Processrsaenh.dllmsisip.dllncrypt.dllbcrypt.dllcryptsp.dll vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.372536607.0000000004A39000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: J\VarFileInfo\Translation\D:\B\T\Imports\Open\Chrome\Chrome\src\base\file_version_info_win.ccCompanyNameCompanyShortNameInternalNameProductNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PathVerifiedDatePublisherCompanyDescriptionProductProduct VersionFile VersionMachine TypeBinary VersionOriginal NameInternal NameCopyrightCommentsEntropyMD5SHA1PESHA1PESHA256SHA256IMPVT detectionVT link\RtlNtStatusToDosErrorntdll.dll%c%sAccess denied.ValidThis certificate or one of the certificates in the certificate chain is not time valid.Trust for this certificate or one of the certificates in the certificate chain has been revoked.The certificate or one of the certificates in the certificate chain does not have a valid signature.The certificate or certificate chain is not valid for its proposed usage.The certificate or certificate chain is based on an untrusted root.The revocation status of the certificate or one of the certificates in the certificate chain is unknown.One of the certificates in the chain was issued by a certification authority that the original certificate had certified.One of the certificates has an extension that is not valid.The certificate or one of the certificates in the certificate chain has a policy constraints extension, and one of the issued certificates has a disallowed policy mapping extension or does not have a required issuance policies extension.The certificate or one of the certificates in the certificate chain has a basic constraints extension, and either the certificate cannot be used to issue other certificates, or the chain path length has been exceeded.The certificate or one of the certificates in the certificate chain has a name constraints extension that is not valid.The certificate or one of the certificates in the certificate chain has a name constraints extension that contains unsupported fields.The certificate or one of the certificates in the certificate chain has a name constraints extension and a name constraint is missing for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and there is not a permitted name constraint for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and one of the name choices in the end certificate is explicitly excluded.The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.The end certificate does not have any resultant issuance policies, and one of the issuing certification authority certificates has a policy constraints extension requiring it.The certificate is explicitly distrusted.The certificate does not support a critical extension.The certificate has not been strong signed.., Invalid signature%d.%d.%d.%dn/aProductVersionOriginalFileNameWow64DisableWow64FsRedirectionKernel32.dllIsWow64Processrsaenh.dllmsisip.dllncrypt.dllbcrypt.dllcryptsp.dll vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.374414583.00000000053CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: J\VarFileInfo\Translation\D:\B\T\Imports\Open\Chrome\Chrome\src\base\file_version_info_win.ccCompanyNameCompanyShortNameInternalNameProductNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.364770823.0000000004CB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CompanyNameCompanyShortNameInternalNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls\VarFileInfo\Translation\../../base/files/file_util_win.ccMakeAbsoluteFilePathDeleteFileAfterRebootDeleteFileEvenIfInUseNtSetInformationFilentdll.dll vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CompanyNameCompanyShortNameInternalNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls\VarFileInfo\Translation\../../base/files/file_util_win.ccMakeAbsoluteFilePathDeleteFileAfterRebootDeleteFileEvenIfInUseNtSetInformationFilentdll.dll vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PathVerifiedDatePublisherCompanyDescriptionProductProduct VersionFile VersionMachine TypeBinary VersionOriginal NameInternal NameCopyrightCommentsEntropyMD5SHA1PESHA1PESHA256SHA256IMPVT detectionVT link\RtlNtStatusToDosErrorntdll.dll%c%sAccess denied.ValidThis certificate or one of the certificates in the certificate chain is not time valid.Trust for this certificate or one of the certificates in the certificate chain has been revoked.The certificate or one of the certificates in the certificate chain does not have a valid signature.The certificate or certificate chain is not valid for its proposed usage.The certificate or certificate chain is based on an untrusted root.The revocation status of the certificate or one of the certificates in the certificate chain is unknown.One of the certificates in the chain was issued by a certification authority that the original certificate had certified.One of the certificates has an extension that is not valid.The certificate or one of the certificates in the certificate chain has a policy constraints extension, and one of the issued certificates has a disallowed policy mapping extension or does not have a required issuance policies extension.The certificate or one of the certificates in the certificate chain has a basic constraints extension, and either the certificate cannot be used to issue other certificates, or the chain path length has been exceeded.The certificate or one of the certificates in the certificate chain has a name constraints extension that is not valid.The certificate or one of the certificates in the certificate chain has a name constraints extension that contains unsupported fields.The certificate or one of the certificates in the certificate chain has a name constraints extension and a name constraint is missing for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and there is not a permitted name constraint for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and one of the name choices in the end certificate is explicitly excluded.The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.The end certificate does not have any resultant issuance policies, and one of the issuing certification authority certificates has a policy constraints extension requiring it.The certificate is explicitly distrusted.The certificate does not support a critical extension.The certificate has not been strong signed.., Invalid signature%d.%d.%d.%dn/aProductVersionOriginalFileNameWow64DisableWow64FsRedirectionKernel32.dllIsWow64Processrsaenh.dllmsisip.dllncrypt.dllbcrypt.dllcryptsp.dll vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.368183823.0000000004C32000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: J\VarFileInfo\Translation\D:\B\T\Imports\Open\Chrome\Chrome\src\base\file_version_info_win.ccCompanyNameCompanyShortNameInternalNameProductNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PathVerifiedDatePublisherCompanyDescriptionProductProduct VersionFile VersionMachine TypeBinary VersionOriginal NameInternal NameCopyrightCommentsEntropyMD5SHA1PESHA1PESHA256SHA256IMPVT detectionVT link\RtlNtStatusToDosErrorntdll.dll%c%sAccess denied.ValidThis certificate or one of the certificates in the certificate chain is not time valid.Trust for this certificate or one of the certificates in the certificate chain has been revoked.The certificate or one of the certificates in the certificate chain does not have a valid signature.The certificate or certificate chain is not valid for its proposed usage.The certificate or certificate chain is based on an untrusted root.The revocation status of the certificate or one of the certificates in the certificate chain is unknown.One of the certificates in the chain was issued by a certification authority that the original certificate had certified.One of the certificates has an extension that is not valid.The certificate or one of the certificates in the certificate chain has a policy constraints extension, and one of the issued certificates has a disallowed policy mapping extension or does not have a required issuance policies extension.The certificate or one of the certificates in the certificate chain has a basic constraints extension, and either the certificate cannot be used to issue other certificates, or the chain path length has been exceeded.The certificate or one of the certificates in the certificate chain has a name constraints extension that is not valid.The certificate or one of the certificates in the certificate chain has a name constraints extension that contains unsupported fields.The certificate or one of the certificates in the certificate chain has a name constraints extension and a name constraint is missing for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and there is not a permitted name constraint for one of the name choices in the end certificate.The certificate or one of the certificates in the certificate chain has a name constraints extension, and one of the name choices in the end certificate is explicitly excluded.The revocation status of the certificate or one of the certificates in the certificate chain is either offline or stale.The end certificate does not have any resultant issuance policies, and one of the issuing certification authority certificates has a policy constraints extension requiring it.The certificate is explicitly distrusted.The certificate does not support a critical extension.The certificate has not been strong signed.., Invalid signature%d.%d.%d.%dn/aProductVersionOriginalFileNameWow64DisableWow64FsRedirectionKernel32.dllIsWow64Processrsaenh.dllmsisip.dllncrypt.dllbcrypt.dllcryptsp.dll vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: J\VarFileInfo\Translation\D:\B\T\Imports\Open\Chrome\Chrome\src\base\file_version_info_win.ccCompanyNameCompanyShortNameInternalNameProductNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Binary or memory string: CompanyNameCompanyShortNameInternalNameProductShortNameProductVersionFileDescriptionFileVersionOriginalFilenameSpecialBuild\StringFileInfo\%04x%04x\%ls\VarFileInfo\Translation\../../base/files/file_util_win.ccMakeAbsoluteFilePathDeleteFileAfterRebootDeleteFileEvenIfInUseNtSetInformationFilentdll.dll vs Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe

Source: znytpstdcrwsisx.exe.0.dr	Static PE information: Number of sections : 72 > 10
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: Number of sections : 72 > 10

Source: unknown	Process created: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe
Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp9A5C.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe "C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe"
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp9A5C.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_05022DD2 AdjustTokenPrivileges,		1_2_05022DD2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_05022D9B AdjustTokenPrivileges,		1_2_05022D9B

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3676:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{2ad4e32f-c687-4329-b5e5-302ef0e0906d}
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3100:120:WilError_01

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	String found in binary or memory: /cite/word/install
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	String found in binary or memory: Couldn't find documents: You have selected documents from both My Library a Shared Group, or from multiple Shared Groups, which is not supported.Documents in multiple groupsPlease select the documents you wish to cite.importing %1 documents from plugin into ??geometry/newLibrarySplittergeometry/horizontalSplittergeometry/verticalSplitterSynchronizing - Step %1 of %2GroupFilterCollectionDeletedFilter1trigger()Synchronizing Zotero - Step %1 of %22duplicateSearchStarted(WorkerJob::Pointer)1highlightAndScrollTo(QList<Document::Pointer>)2allJobsFinished(QList<Document::Pointer>)Invite/invite/?dgcid=Mendeley_Desktop_Invite-colleagues/cite/word/install/importshowSignInmendeley://loginshowJoinMendeleyFormmendeley://registerDelete this document from your library?Delete %1 documents from your library?
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	String found in binary or memory: https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guides
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	String found in binary or memory: 1openHelpGuides()Help Guides1openMendeleyWebsite()Mendeley Website1openFAQ()FAQ1openContactSupport()Contact SupportCheck for UpdatesCheck Now1toggleCheckForPreviewUpdates()Create Backup...1openMendeleyPrivacyPolicy()Privacy Policy1openMendeleyTandCs()Terms and Conditions1showAbout()https://www.mendeley.com/guides?dgcid=Mendeley_Desktop_Help-menu-Help-guideshttps://www.mendeley.com?dgcid=Mendeley_Desktop_Help-menu-websitehttps://www.elsevier.com/legal/elsevier-website-terms-and-conditionshttps://www.elsevier.com/legal/privacy-policyhttps://service.elsevier.com/app/home/supporthub/mendeley/?dgcid=Mendeley_Desktop_Help-menu-FAQhttps://service.elsevier.com/app/contact/supporthub/mendeley?dgcid=Mendeley_Desktop_Help-menu-Contact-SupportOpt-out of Experimental ReleasesOpt-in to Experimental Releases
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	String found in binary or memory: Try '%ls --help' for more information.

Source: 7.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: 7.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Windows Analysis Report Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe

Malware Threat Intel
Provided by

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_00E174AC push ecx; ret	1_2_00E174AD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_00E174B8 push ebp; ret	1_2_00E174B9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_00E1549B push edi; retn 0000h	1_2_00E154A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_00E19D5C push 7800E1CBh; retf	1_2_00E19D61
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Code function: 1_2_00E19E34 pushfd ; retf	1_2_00E19E3D

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: eSkkNGPG
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: PTcLNQBR
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: uhxZiqpZ
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: bMgQsjaV
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: GBMbimfi
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: DgfAMsww
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: rSvCgsmi
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: YskjstAT
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: LoVCKuYF
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: WVocwQqb
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: oSCGvaQZ
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: yZjSVOZX
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: QXbsjhZl
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: yyMCijkk
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: mpFeMMWO
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: lykrKTJc
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: uiehIGyj
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: zVFOZMAw
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: YlpJAimU
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: JwzqdXdu
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: UGiiFcPP
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: WQbVwRsn
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: tPcESPxm
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: aJkBpZiD
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: oVRlQlUl
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: kJDrTOOv
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: dPNhZlJs
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: tpgvdaSU
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: stGTwKsk
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: NWtntEHY
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: SeCKBtus
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: YLnRofwZ
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: ITlNviCX
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: xXKSfIFI
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: rzHoctSy
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: tqGkaUrY
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: XUULAqjj
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: OJKanVIF
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: XOKAQdyM
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: bvHwouBZ
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: emfUrPdE
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: wDjKtsMK
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: mVRJZClE
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: tOofDbnU
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: jMZzwYXU
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: nBeILfXx
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: vXOIjvTV
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: HdeHlMsv
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: INgZfirH
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: kDTxXhPW
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: WGoHkNIX
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: KQZwnOJl
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: TIucAObT
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: LbFXKCFw
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: zVPYqkoM
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: FueMosXg
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: iRDivbUE
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: qqDFgVrq
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: NoZwckKd
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: xegiIWpk
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: lFLuySNA
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: yfUTtHPf
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: HFrIlBYb
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: NCFRXlWT
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: DOngBUEn
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: XkEBteUo
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: section name: JfnpBUQQ
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: eSkkNGPG
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: PTcLNQBR
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: uhxZiqpZ
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: bMgQsjaV
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: GBMbimfi
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: DgfAMsww
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: rSvCgsmi
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: YskjstAT
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: LoVCKuYF
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: WVocwQqb
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: oSCGvaQZ
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: yZjSVOZX
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: QXbsjhZl
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: yyMCijkk
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: mpFeMMWO
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: lykrKTJc
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: uiehIGyj
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: zVFOZMAw
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: YlpJAimU
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: JwzqdXdu
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: UGiiFcPP
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: WQbVwRsn
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: tPcESPxm
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: aJkBpZiD
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: oVRlQlUl
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: kJDrTOOv
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: dPNhZlJs
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: tpgvdaSU
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: stGTwKsk
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: NWtntEHY
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: SeCKBtus
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: YLnRofwZ
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: ITlNviCX
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: xXKSfIFI
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: rzHoctSy
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: tqGkaUrY
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: XUULAqjj
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: OJKanVIF
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: XOKAQdyM
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: bvHwouBZ
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: emfUrPdE
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: wDjKtsMK
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: mVRJZClE
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: tOofDbnU
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: jMZzwYXU
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: nBeILfXx
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: vXOIjvTV
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: HdeHlMsv
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: INgZfirH
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: kDTxXhPW
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: WGoHkNIX
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: KQZwnOJl
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: TIucAObT
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: LbFXKCFw
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: zVPYqkoM
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: FueMosXg
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: iRDivbUE
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: qqDFgVrq
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: NoZwckKd
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: xegiIWpk
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: lFLuySNA
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: yfUTtHPf
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: HFrIlBYb
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: NCFRXlWT
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: DOngBUEn
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: XkEBteUo
Source: znytpstdcrwsisx.exe.0.dr	Static PE information: section name: JfnpBUQQ

Source: znytpstdcrwsisx.exe.0.dr	Static PE information: real checksum: 0x12035b should be: 0x4c650c
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Static PE information: real checksum: 0x12035b should be: 0x4c8c6f

Source: 7.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hdoydskbdx\znytpstdcrwsisx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.369979852.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IIRP_MJ_FASTIO_PROCMON.EXEPROCEXP.EXEAUTORUNS.EXESYSTEMPAGEFILE.SYS$MFT$MFTMIRR$LOGFILE$VOLUME$ATTRDEF$ROOT$BITMAP$BOOT$BADCLUS$SECURE$UPCASE$EXTENDFAST IOINCLUDEEXCLUDE<BAD>OKAY TO OVERWRITE EVENT LOG ''?AN ERROR OCCURRED OPENING THE SNAPSHOT ''APPLYING EVENT FILTEROPERATION CANCELLED: THE LISTVIEW DATA MAY BE INCOMPLETEPROCESS MONITOR CAN OPEN AT MOST BACKING FILES<PAGEFILE>YESNOEVENTPROCESSINDEXSTACKFRAMEDEPTHADDRESS + PATHLOCATIONPROCESSPROCESSIDPARENTPROCESSIDPARENTPROCESSINDEXAUTHENTICATIONIDCREATETIMEFINISHTIMEISVIRTUALIZEDIS64BITINTEGRITYOWNERPROCESSNAMECOMMANDLINECOMPANYNAMEVERSIONDESCRIPTIONMODULELISTMODULETIMESTAMPBASEADDRESSSIZECOMPANYPROCESS MONITOR - EXPORTING EVENT DATAWT, CCS=UTF-8"%S"
Source: znytpstdcrwsisx.exe, 00000006.00000003.407665734.0000000001660000.00000004.00000020.00020000.00000000.sdmp, znytpstdcrwsisx.exe, 00000006.00000002.412419937.0000000001660000.00000004.00000020.00020000.00000000.sdmp, znytpstdcrwsisx.exe, 00000006.00000003.407387450.0000000001659000.00000004.00000020.00020000.00000000.sdmp, znytpstdcrwsisx.exe, 00000006.00000003.407487257.0000000001660000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIECTRL.EXE
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.390170315.000000000138A000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.383953493.000000000138A000.00000004.00000020.00020000.00000000.sdmp, Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.389792384.000000000138A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SBIECTRL.EXEI0

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6840	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 4184	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 5580	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: MSBuild.exe, 00000001.00000002.629865892.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW[
Source: Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exe, 00000000.00000003.389792384.000000000138A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmtoolsd.exeG-
Source: MSBuild.exe, 00000001.00000002.629865892.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
Source: znytpstdcrwsisx.exe, 00000006.00000003.407487257.0000000001660000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmtoolsd.exe&44