Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 4x nop then push dword ptr [ebp-24h] |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 4x nop then jmp 076A0806h |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 4x nop then push dword ptr [ebp-24h] |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 4x nop then xor edx, edx |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 4x nop then xor edx, edx |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 4x nop then push dword ptr [ebp-20h] |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 4x nop then push dword ptr [ebp-20h] |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 4x nop then jmp 076A0806h |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h |
Source: 00000014.00000002.592972004.0000000004172000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000014.00000002.592972004.0000000004172000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000000.00000002.338088857.0000000004A4A000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000000.00000002.338088857.0000000004A4A000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000014.00000002.593076062.0000000004205000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000014.00000002.593076062.0000000004205000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000018.00000002.589229834.00000000042A9000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000018.00000002.580480048.0000000000402000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000018.00000002.580480048.0000000000402000.00000040.00000001.sdmp, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000018.00000002.592742291.00000000058E0000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000018.00000002.592779539.0000000005900000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000000.00000002.337626085.00000000048E8000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000000.00000002.337626085.00000000048E8000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000014.00000002.593637409.000000000439B000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000014.00000002.593637409.000000000439B000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: Process Memory Space: MEDUSI492126.pdf.exe PID: 6088, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: Process Memory Space: MEDUSI492126.pdf.exe PID: 6088, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: Process Memory Space: InstallUtil.exe PID: 5896, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: Process Memory Space: InstallUtil.exe PID: 5896, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: Process Memory Space: hgjgfddsxaz.exe PID: 6920, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: Process Memory Space: hgjgfddsxaz.exe PID: 6920, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 24.2.InstallUtil.exe.58e0000.3.raw.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 24.2.InstallUtil.exe.5900000.4.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 24.2.InstallUtil.exe.5900000.4.raw.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Code function: 0_2_012AA949 |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Code function: 0_2_012ACB70 |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Code function: 0_2_012A5398 |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Code function: 0_2_012A1510 |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Code function: 0_2_012A4C30 |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Code function: 0_2_012AB441 |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Code function: 0_2_012AA480 |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Code function: 0_2_012AE632 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_04EC13F8 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_04EC0CC8 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_04EC3318 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_04EC29D8 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_04EB63AB |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_04EB48A2 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_04EC3D60 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_04EC2560 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_00C7A949 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_00C75398 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_00C7CB70 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_00C7A480 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_00C7B441 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_00C74C30 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_00C71510 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_00C7E630 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_076AD5D8 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_076A63A0 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_076AF2E8 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_076A0040 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_076ADFC0 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_076ABA78 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_076A0820 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_076AD5C8 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_076A6390 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_076AF2DB |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_076A0006 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_076ADFB0 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_076A5DE1 |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Code function: 20_2_076A5DF0 |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Code function: 24_2_00E020B0 |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Code function: 24_2_031CE471 |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Code function: 24_2_031CE480 |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Code function: 24_2_031CBBD4 |
Source: 00000014.00000002.592972004.0000000004172000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000014.00000002.592972004.0000000004172000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 00000000.00000002.338088857.0000000004A4A000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000000.00000002.338088857.0000000004A4A000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 00000014.00000002.593076062.0000000004205000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000014.00000002.593076062.0000000004205000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 00000018.00000002.589229834.00000000042A9000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 00000018.00000002.580480048.0000000000402000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000018.00000002.580480048.0000000000402000.00000040.00000001.sdmp, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 00000018.00000002.592742291.00000000058E0000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000018.00000002.592742291.00000000058E0000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 00000018.00000002.592779539.0000000005900000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000018.00000002.592779539.0000000005900000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 00000000.00000002.337626085.00000000048E8000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000000.00000002.337626085.00000000048E8000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 00000014.00000002.593637409.000000000439B000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000014.00000002.593637409.000000000439B000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: Process Memory Space: MEDUSI492126.pdf.exe PID: 6088, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: Process Memory Space: MEDUSI492126.pdf.exe PID: 6088, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: Process Memory Space: InstallUtil.exe PID: 5896, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: Process Memory Space: InstallUtil.exe PID: 5896, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: Process Memory Space: hgjgfddsxaz.exe PID: 6920, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: Process Memory Space: hgjgfddsxaz.exe PID: 6920, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 24.2.InstallUtil.exe.58e0000.3.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 24.2.InstallUtil.exe.58e0000.3.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 24.2.InstallUtil.exe.5900000.4.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 24.2.InstallUtil.exe.5900000.4.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 24.2.InstallUtil.exe.5900000.4.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 24.2.InstallUtil.exe.5900000.4.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\MEDUSI492126.pdf.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Roaming\hgjgfddsxaz.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX |
Source: InstallUtil.exe, 00000018.00000002.583704046.00000000015E9000.00000004.00000020.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllkb} |
Source: hgjgfddsxaz.exe, 00000014.00000002.592813356.00000000038C1000.00000004.00000001.sdmp | Binary or memory string: VMware |
Source: hgjgfddsxaz.exe, 00000014.00000002.592813356.00000000038C1000.00000004.00000001.sdmp | Binary or memory string: vmware svga |
Source: MEDUSI492126.pdf.exe, 00000000.00000002.336503892.00000000013AE000.00000004.00000020.sdmp | Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D: |
Source: MEDUSI492126.pdf.exe, 00000000.00000002.340692963.0000000005650000.00000002.00000001.sdmp, reg.exe, 00000003.00000002.233158420.00000000027B0000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.593585742.0000000006C40000.00000002.00000001.sdmp | Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: hgjgfddsxaz.exe, 00000014.00000002.592813356.00000000038C1000.00000004.00000001.sdmp | Binary or memory string: vmware |
Source: MEDUSI492126.pdf.exe, 00000000.00000002.337274177.0000000003F71000.00000004.00000001.sdmp, hgjgfddsxaz.exe, 00000014.00000002.592813356.00000000038C1000.00000004.00000001.sdmp | Binary or memory string: tpautoconnsvc#Microsoft Hyper-V |
Source: MEDUSI492126.pdf.exe, 00000000.00000002.337274177.0000000003F71000.00000004.00000001.sdmp, hgjgfddsxaz.exe, 00000014.00000002.592813356.00000000038C1000.00000004.00000001.sdmp | Binary or memory string: cmd.txtQEMUqemu |
Source: MEDUSI492126.pdf.exe, 00000000.00000002.342481616.0000000008341000.00000004.00000001.sdmp | Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\ |
Source: MEDUSI492126.pdf.exe, 00000000.00000002.337274177.0000000003F71000.00000004.00000001.sdmp, hgjgfddsxaz.exe, 00000014.00000002.592813356.00000000038C1000.00000004.00000001.sdmp | Binary or memory string: vmusrvc |
Source: hgjgfddsxaz.exe, 00000014.00000002.592813356.00000000038C1000.00000004.00000001.sdmp | Binary or memory string: vmsrvc |
Source: hgjgfddsxaz.exe, 00000014.00000002.592813356.00000000038C1000.00000004.00000001.sdmp | Binary or memory string: vmtools |
Source: hgjgfddsxaz.exe, 00000014.00000002.592813356.00000000038C1000.00000004.00000001.sdmp | Binary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device |
Source: hgjgfddsxaz.exe, 00000014.00000002.592813356.00000000038C1000.00000004.00000001.sdmp | Binary or memory string: vboxservicevbox)Microsoft Virtual PC |
Source: MEDUSI492126.pdf.exe, 00000000.00000002.340692963.0000000005650000.00000002.00000001.sdmp, reg.exe, 00000003.00000002.233158420.00000000027B0000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.593585742.0000000006C40000.00000002.00000001.sdmp | Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: MEDUSI492126.pdf.exe, 00000000.00000002.340692963.0000000005650000.00000002.00000001.sdmp, reg.exe, 00000003.00000002.233158420.00000000027B0000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.593585742.0000000006C40000.00000002.00000001.sdmp | Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: hgjgfddsxaz.exe, 00000014.00000002.592813356.00000000038C1000.00000004.00000001.sdmp | Binary or memory string: virtual-vmware pointing device |
Source: MEDUSI492126.pdf.exe, 00000000.00000002.340692963.0000000005650000.00000002.00000001.sdmp, reg.exe, 00000003.00000002.233158420.00000000027B0000.00000002.00000001.sdmp, InstallUtil.exe, 00000018.00000002.593585742.0000000006C40000.00000002.00000001.sdmp | Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |