Source: File created | Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\4yGRcXEf.exe, ProcessId: 6748, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat |
Source: Yara match | File source: 4yGRcXEf.exe, type: SAMPLE |
Source: Yara match | File source: 00000000.00000000.224571570.00000000002B2000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: 4yGRcXEf.exe PID: 6748, type: MEMORY |
Source: Yara match | File source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, type: UNPACKEDPE |
Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack | Avira: Label: TR/Dropper.MSIL.Gen7 |
Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp | String found in binary or memory: http://google.com |
Source: Yara match | File source: 4yGRcXEf.exe, type: SAMPLE |
Source: Yara match | File source: 00000000.00000000.224571570.00000000002B2000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: 4yGRcXEf.exe PID: 6748, type: MEMORY |
Source: Yara match | File source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, type: UNPACKEDPE |
Source: 4yGRcXEf.exe, type: SAMPLE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 4yGRcXEf.exe, type: SAMPLE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000000.00000000.224571570.00000000002B2000.00000002.00020000.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000000.00000000.224571570.00000000002B2000.00000002.00020000.sdmp, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: Process Memory Space: 4yGRcXEf.exe PID: 6748, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: Process Memory Space: 4yGRcXEf.exe PID: 6748, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs 4yGRcXEf.exe |
Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs 4yGRcXEf.exe |
Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs 4yGRcXEf.exe |
Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs 4yGRcXEf.exe |
Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs 4yGRcXEf.exe |
Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs 4yGRcXEf.exe |
Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs 4yGRcXEf.exe |
Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs 4yGRcXEf.exe |
Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs 4yGRcXEf.exe |
Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs 4yGRcXEf.exe |
Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs 4yGRcXEf.exe |
Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameNAudio.dll4 vs 4yGRcXEf.exe |
Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs 4yGRcXEf.exe |
Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs 4yGRcXEf.exe |
Source: 4yGRcXEf.exe, type: SAMPLE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 4yGRcXEf.exe, type: SAMPLE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 4yGRcXEf.exe, type: SAMPLE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 00000000.00000000.224571570.00000000002B2000.00000002.00020000.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000000.00000000.224571570.00000000002B2000.00000002.00020000.sdmp, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: Process Memory Space: 4yGRcXEf.exe PID: 6748, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: Process Memory Space: 4yGRcXEf.exe PID: 6748, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 4yGRcXEf.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs | Cryptographic APIs: 'CreateDecryptor' |
Source: 4yGRcXEf.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs | Cryptographic APIs: 'TransformFinalBlock' |
Source: 4yGRcXEf.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs | Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs | Cryptographic APIs: 'CreateDecryptor' |
Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs | Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs | Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: 4yGRcXEf.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs | Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent() |
Source: 4yGRcXEf.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs | Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole) |
Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs | Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent() |
Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs | Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole) |
Source: classification engine | Classification label: mal100.troj.evad.winEXE@1/4@2/1 |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{fc89967f-3919-4601-99a8-f8b96018b643} |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking |
Source: 4yGRcXEf.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll |
Source: | Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp |
Source: | Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp |
Source: | Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp |
Source: | Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp |
Source: | Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp |
Source: | Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp |
Source: 4yGRcXEf.exe, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs | .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 4yGRcXEf.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs | .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs | .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs | .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 4yGRcXEf.exe, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs | High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs=' |
Source: 4yGRcXEf.exe, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs | High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK' |
Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs | High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK' |
Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs | High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs=' |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | File opened: C:\Users\user\Desktop\4yGRcXEf.exe:Zone.Identifier read attributes | delete |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Thread delayed: delay time: 922337203685477 |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Window / User API: threadDelayed 795 |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Window / User API: threadDelayed 583 |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Window / User API: foregroundWindowGot 699 |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Window / User API: foregroundWindowGot 704 |
Source: C:\Users\user\Desktop\4yGRcXEf.exe TID: 6780 | Thread sleep time: -1844674407370954s >= -30000s |
Source: C:\Users\user\Desktop\4yGRcXEf.exe TID: 6776 | Thread sleep time: -40000s >= -30000s |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process information queried: ProcessInformation |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Process token adjusted: Debug |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Memory allocated: page read and write | page guard |
Source: 4yGRcXEf.exe, 00000000.00000003.232009545.00000000009AD000.00000004.00000001.sdmp | Binary or memory string: Program Manager |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\4yGRcXEf.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: Yara match | File source: 4yGRcXEf.exe, type: SAMPLE |
Source: Yara match | File source: 00000000.00000000.224571570.00000000002B2000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: 4yGRcXEf.exe PID: 6748, type: MEMORY |
Source: Yara match | File source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, type: UNPACKEDPE |
Source: 4yGRcXEf.exe, 00000000.00000000.224571570.00000000002B2000.00000002.00020000.sdmp | String found in binary or memory: NanoCore.ClientPluginHost |
Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp | String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCop |