{"Version": "1.2.2.0", "Mutex": "1db8cd6c-75e8-4b3e-9da8-7094ff2f", "Group": "LOG101", "Domain1": "103.28.70.172", "Domain2": "103.28.70.172", "Port": 34217, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}
Source: 1.2.Copy#.exe.660b410.8.raw.unpack | Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "1db8cd6c-75e8-4b3e-9da8-7094ff2f", "Group": "LOG101", "Domain1": "103.28.70.172", "Domain2": "103.28.70.172", "Port": 34217, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"} |
Source: Yara match | File source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY |
Source: Yara match | File source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49727 -> 103.28.70.172:34217 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49728 -> 103.28.70.172:34217 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49729 -> 103.28.70.172:34217 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49733 -> 103.28.70.172:34217 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49734 -> 103.28.70.172:34217 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49735 -> 103.28.70.172:34217 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49741 -> 103.28.70.172:34217 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49747 -> 103.28.70.172:34217 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49755 -> 103.28.70.172:34217 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49756 -> 103.28.70.172:34217 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49757 -> 103.28.70.172:34217 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49761 -> 103.28.70.172:34217 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49762 -> 103.28.70.172:34217 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49765 -> 103.28.70.172:34217 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49766 -> 103.28.70.172:34217 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49767 -> 103.28.70.172:34217 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49768 -> 103.28.70.172:34217 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: unknown | TCP traffic detected without corresponding DNS query: 103.28.70.172 |
Source: Yara match | File source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY |
Source: Yara match | File source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE |
Source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: C:\Users\user\Desktop\Copy#.exe | Code function: 1_2_013745F0 |
Source: C:\Users\user\Desktop\Copy#.exe | Code function: 1_2_01370490 |
Source: C:\Users\user\Desktop\Copy#.exe | Code function: 1_2_01373808 |
Source: C:\Users\user\Desktop\Copy#.exe | Code function: 1_2_01372BC8 |
Source: C:\Users\user\Desktop\Copy#.exe | Code function: 1_2_0137AEB3 |
Source: Copy#.exe, 00000001.00000002.380342730.0000000006424000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameSHIT.dll* vs Copy#.exe |
Source: Copy#.exe, 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameEnjq Gqh.exe2 vs Copy#.exe |
Source: Copy#.exe, 00000001.00000000.340758822.0000000000930000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenamehilal.exe, vs Copy#.exe |
Source: Copy#.exe, 00000004.00000000.356924223.00000000003F0000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenamehilal.exe, vs Copy#.exe |
Source: Copy#.exe, 00000006.00000003.373150693.0000000001436000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Copy#.exe |
Source: Copy#.exe, 00000006.00000000.359234712.0000000000F10000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenamehilal.exe, vs Copy#.exe |
Source: Copy#.exe | Binary or memory string: OriginalFilenamehilal.exe, vs Copy#.exe |
Source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: unknown | Process created: C:\Users\user\Desktop\Copy#.exe 'C:\Users\user\Desktop\Copy#.exe' |
Source: C:\Users\user\Desktop\Copy#.exe | Process created: C:\Users\user\Desktop\Copy#.exe C:\Users\user\Desktop\Copy#.exe |
Source: C:\Users\user\Desktop\Copy#.exe | Process created: C:\Users\user\Desktop\Copy#.exe C:\Users\user\Desktop\Copy#.exe |
Source: C:\Users\user\Desktop\Copy#.exe | Process created: C:\Users\user\Desktop\Copy#.exe C:\Users\user\Desktop\Copy#.exe |
Source: C:\Users\user\Desktop\Copy#.exe | Process created: C:\Users\user\Desktop\Copy#.exe C:\Users\user\Desktop\Copy#.exe |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\Copy#.exe | Queries volume information: C:\Users\user\Desktop\Copy#.exe VolumeInformation |
Source: C:\Users\user\Desktop\Copy#.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Source: C:\Users\user\Desktop\Copy#.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Source: C:\Users\user\Desktop\Copy#.exe | Queries volume information: C:\Users\user\Desktop\Copy#.exe VolumeInformation |
Source: C:\Users\user\Desktop\Copy#.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Source: C:\Users\user\Desktop\Copy#.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Source: C:\Users\user\Desktop\Copy#.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Source: C:\Users\user\Desktop\Copy#.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Source: C:\Users\user\Desktop\Copy#.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\Copy#.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: Yara match | File source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY |
Source: Yara match | File source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000001.00000002.380857943.00000000065D8000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: Copy#.exe PID: 6408, type: MEMORY |
Source: Yara match | File source: 1.2.Copy#.exe.660b410.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.Copy#.exe.65d85f0.9.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.Copy#.exe.660b410.8.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.Copy#.exe.65d85f0.9.raw.unpack, type: UNPACKEDPE |