File name:

kalyanonlinematkaapp.exe

Full analysis: https://app.any.run/tasks/c710d51c-8533-419b-b56c-a7f60fbad45f
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Malware Trends Tracker     >>>
Analysis date: May 14, 2026, 16:12:32
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
nanocore
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

8FE9AFCBC6B755494A8DF57A4F16888F

SHA1:

E11A7E0DDB8B3039D94400885B72ECC757BDE136

SHA256:

DFC8CE3C3711A5B40887FB310775D17EDDD9D9F42BFD27B3487FD109E325F3DA

SSDEEP:

3072:6pjFiF4UMYXw+zcgi+oG/j9iaMP2s/Hi0xUp87Z2SOjFwAc7q89bIwlb970oP:6NFfUMuzkIM59xUp87Z2SmNcJMaZ0oP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NANOCORE has been detected (YARA)

      • kalyanonlinematkaapp.exe (PID: 5420)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Checks supported languages

      • kalyanonlinematkaapp.exe (PID: 5420)

    • Process checks whether UAC notifications are on

      • kalyanonlinematkaapp.exe (PID: 5420)

    • Reads the machine GUID from the registry

      • kalyanonlinematkaapp.exe (PID: 5420)

    • Creates files or folders in the user directory

      • kalyanonlinematkaapp.exe (PID: 5420)

    • Reads the computer name

      • kalyanonlinematkaapp.exe (PID: 5420)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Nanocore

(PID) Process(5420) kalyanonlinematkaapp.exe
KeyboardLoggingTrue
BuildTime2026-05-14 16:05:24.959776
Version1.2.2.0
Mutex6314ccc6-9843-4a74-aed7-559c83d1497b
DefaultGroupSetup
PrimaryConnectionHostkalyanonlinematkaapp.in.net
BackupConnectionHostwww.kalyanonlinematkaapp.in.net
ConnectionPort54984
RunOnStartupFalse
RequestElevationFalse
BypassUserAccountControlTrue
ClearZoneIdentifierTrue
ClearAccessControlFalse
SetCriticalProcessFalse
PreventSystemSleepTrue
ActivateAwayModeFalse
EnableDebugModeFalse
RunDelay0
ConnectDelay4000
RestartDelay5000
TimeoutInterval5000
KeepAliveTimeout30000
MutexTimeout4997
LanTimeout2500
WanTimeout8000
BufferSize65857
MaxPacketSize10485760
GCThreshold10485760
UseCustomDnsServerTrue
PrimaryDnsServer8.8.8.8
BackupDnsServer8.8.4.4
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:02:22 00:49:37+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 116736
InitializedDataSize: 90624
UninitializedDataSize: -
EntryPoint: 0x1e792
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #NANOCORE kalyanonlinematkaapp.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
5196C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5420"C:\Users\admin\Desktop\kalyanonlinematkaapp.exe" C:\Users\admin\Desktop\kalyanonlinematkaapp.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\kalyanonlinematkaapp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Nanocore
(PID) Process(5420) kalyanonlinematkaapp.exe
KeyboardLoggingTrue
BuildTime2026-05-14 16:05:24.959776
Version1.2.2.0
Mutex6314ccc6-9843-4a74-aed7-559c83d1497b
DefaultGroupSetup
PrimaryConnectionHostkalyanonlinematkaapp.in.net
BackupConnectionHostwww.kalyanonlinematkaapp.in.net
ConnectionPort54984
RunOnStartupFalse
RequestElevationFalse
BypassUserAccountControlTrue
ClearZoneIdentifierTrue
ClearAccessControlFalse
SetCriticalProcessFalse
PreventSystemSleepTrue
ActivateAwayModeFalse
EnableDebugModeFalse
RunDelay0
ConnectDelay4000
RestartDelay5000
TimeoutInterval5000
KeepAliveTimeout30000
MutexTimeout4997
LanTimeout2500
WanTimeout8000
BufferSize65857
MaxPacketSize10485760
GCThreshold10485760
UseCustomDnsServerTrue
PrimaryDnsServer8.8.8.8
BackupDnsServer8.8.4.4
Total events
3 830
Read events
3 829
Write events
1
Delete events
0

Modification events

(PID) Process:(5196) slui.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@%SystemRoot%\System32\sppcomapi.dll,-3200
Value:
Software Licensing
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
5420kalyanonlinematkaapp.exeC:\Users\admin\AppData\Roaming\BB926E54-E3CA-40FD-AE90-2764341E7792\run.dattext
MD5:29B4B1F13059421262F138BB6EF0D2FA
SHA256:ADEDB5E3035080D34DF93E3F681D15155AA1E7E5F7A398D62F7007D1F9EC40B9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
37
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6076
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
5196
slui.exe
POST
500
128.24.231.64:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
3280
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
US
binary
814 b
whitelisted
3280
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl
US
binary
400 b
whitelisted
3280
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
US
binary
400 b
whitelisted
6076
svchost.exe
GET
200
23.216.77.18:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
5196
slui.exe
POST
500
128.24.231.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
3280
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
US
binary
813 b
whitelisted
3280
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl
US
binary
813 b
whitelisted
3280
svchost.exe
GET
200
23.216.77.8:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
NL
binary
824 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
5276
MoUsoCoreWorker.exe
40.84.85.40:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7312
slui.exe
128.24.231.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6076
svchost.exe
40.84.85.40:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
6076
svchost.exe
23.216.77.18:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6076
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
48.209.133.15:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5420
kalyanonlinematkaapp.exe
8.8.8.8:53
GOOGLE
US
whitelisted
6076
svchost.exe
48.209.133.15:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
activation-v2.sls.microsoft.com
  • 128.24.231.64
whitelisted
crl.microsoft.com
  • 23.216.77.18
  • 23.216.77.30
  • 23.216.77.8
  • 23.216.77.20
  • 23.216.77.37
  • 23.216.77.28
  • 23.216.77.22
  • 23.216.77.25
  • 23.216.77.38
  • 23.216.77.19
  • 23.216.77.42
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
google.com
  • 142.251.20.101
  • 142.251.20.139
  • 142.251.20.138
  • 142.251.20.113
  • 142.251.20.100
  • 142.251.20.102
whitelisted
settings-win.data.microsoft.com
  • 48.209.133.15
whitelisted
self.events.data.microsoft.com
  • 20.189.173.24
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
kalyanonlinematkaapp.exe