Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp | String found in binary or memory: http://fontfabrik.com |
Source: file.exe, 00000003.00000002.255141444.0000000003151000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: file.exe, 00000003.00000003.216324625.000000000608E000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: name.exe, 00000004.00000003.216797322.000000000597C000.00000004.00000001.sdmp | String found in binary or memory: http://www.carterandcone.com |
Source: name.exe, 00000004.00000003.216797322.000000000597C000.00000004.00000001.sdmp | String found in binary or memory: http://www.carterandcone.comext |
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp | String found in binary or memory: http://www.carterandcone.coml |
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, file.exe, 00000003.00000003.219359586.000000000608E000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com |
Source: file.exe, 00000003.00000003.219359586.000000000608E000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com.TTF |
Source: name.exe, 00000004.00000003.220508852.0000000005977000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/ |
Source: name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers |
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/? |
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN |
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html |
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers8 |
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers? |
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designersG |
Source: file.exe, 00000003.00000003.219359586.000000000608E000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com9 |
Source: file.exe, 00000003.00000003.219359586.000000000608E000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.comF6 |
Source: file.exe, 00000003.00000003.219359586.000000000608E000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.coma |
Source: file.exe, 00000003.00000003.219359586.000000000608E000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.comalic |
Source: file.exe, 00000003.00000003.219359586.000000000608E000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.comalso |
Source: file.exe, 00000003.00000003.219359586.000000000608E000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.comessed |
Source: file.exe, 00000003.00000003.253543403.000000000608A000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.comion |
Source: file.exe, 00000003.00000003.219359586.000000000608E000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.comlicd |
Source: file.exe, 00000003.00000003.253543403.000000000608A000.00000004.00000001.sdmp | String found in binary or memory: http://www.fontbureau.como |
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp | String found in binary or memory: http://www.fonts.com |
Source: name.exe, 00000004.00000003.214233303.000000000598B000.00000004.00000001.sdmp | String found in binary or memory: http://www.fonts.comx |
Source: name.exe, 00000004.00000003.214182404.000000000598B000.00000004.00000001.sdmp | String found in binary or memory: http://www.fonts.comyp |
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn |
Source: file.exe, 00000003.00000002.262971462.0000000006170000.00000002.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/bThe |
Source: file.exe, 00000003.00000002.262971462.0000000006170000.00000002.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/cThe |
Source: file.exe, 00000003.00000003.215566337.000000000608E000.00000004.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cntic |
Source: file.exe, 00000003.00000003.220028378.0000000006096000.00000004.00000001.sdmp, name.exe, 00000004.00000003.220508852.0000000005977000.00000004.00000001.sdmp | String found in binary or memory: http://www.galapagosdesign.com/ |
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp | String found in binary or memory: http://www.galapagosdesign.com/DPlease |
Source: file.exe, 00000003.00000003.220798127.0000000006096000.00000004.00000001.sdmp, file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp | String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm |
Source: file.exe, 00000003.00000003.220028378.0000000006096000.00000004.00000001.sdmp | String found in binary or memory: http://www.galapagosdesign.com/w |
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp | String found in binary or memory: http://www.goodfont.co.kr |
Source: file.exe, 00000003.00000003.217445274.0000000006083000.00000004.00000001.sdmp, name.exe, 00000004.00000003.218188499.0000000005978000.00000004.00000001.sdmp, name.exe, 00000004.00000003.217929078.0000000005977000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/ |
Source: name.exe, 00000004.00000003.217929078.0000000005977000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/& |
Source: file.exe, 00000003.00000003.217445274.0000000006083000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp//sO |
Source: name.exe, 00000004.00000003.218188499.0000000005978000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/4 |
Source: name.exe, 00000004.00000003.217929078.0000000005977000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/? |
Source: name.exe, 00000004.00000003.217929078.0000000005977000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/L |
Source: file.exe, 00000003.00000003.217445274.0000000006083000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/ana |
Source: file.exe, 00000003.00000003.217445274.0000000006083000.00000004.00000001.sdmp, file.exe, 00000003.00000003.217797992.0000000006089000.00000004.00000001.sdmp, name.exe, 00000004.00000003.217929078.0000000005977000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/ |
Source: name.exe, 00000004.00000003.218188499.0000000005978000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/i |
Source: file.exe, 00000003.00000003.217797992.0000000006089000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/u |
Source: name.exe, 00000004.00000003.217929078.0000000005977000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/w |
Source: name.exe, 00000004.00000003.218188499.0000000005978000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/rge |
Source: file.exe, 00000003.00000003.217445274.0000000006083000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/u |
Source: name.exe, 00000004.00000003.217929078.0000000005977000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/x |
Source: name.exe, 00000004.00000003.218188499.0000000005978000.00000004.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/~ |
Source: name.exe, 00000004.00000003.214006989.000000000598B000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp | String found in binary or memory: http://www.sajatypeworks.com |
Source: name.exe, 00000004.00000003.214006989.000000000598B000.00000004.00000001.sdmp | String found in binary or memory: http://www.sajatypeworks.comw |
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp | String found in binary or memory: http://www.sakkal.com |
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp | String found in binary or memory: http://www.sandoll.co.kr |
Source: name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp | String found in binary or memory: http://www.tiro.com |
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp | String found in binary or memory: http://www.typography.netD |
Source: file.exe, 00000003.00000003.219359586.000000000608E000.00000004.00000001.sdmp | String found in binary or memory: http://www.urwpp.de |
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp | String found in binary or memory: http://www.urwpp.deDPlease |
Source: file.exe, 00000003.00000002.262971462.0000000006170000.00000002.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp | String found in binary or memory: http://www.zhongyicts.com.cn |
Source: file.exe, 0000000A.00000002.470394784.0000000001316000.00000004.00000020.sdmp | String found in binary or memory: https://nexus.officeapps.live.com |
Source: 0000000B.00000002.477861276.0000000005590000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 0000000B.00000002.476715022.0000000004087000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0000000B.00000002.468941603.0000000000402000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 0000000B.00000002.468941603.0000000000402000.00000040.00000001.sdmp, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000004.00000002.254692678.0000000004551000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000004.00000002.254692678.0000000004551000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0000000B.00000002.478086503.0000000005950000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: Process Memory Space: name.exe PID: 6612, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: Process Memory Space: name.exe PID: 6612, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: Process Memory Space: name.exe PID: 800, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: Process Memory Space: name.exe PID: 800, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 11.2.name.exe.5950000.11.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 4.2.name.exe.47d8c38.1.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 4.2.name.exe.47d8c38.1.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 11.2.name.exe.5590000.8.raw.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 11.2.name.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 11.2.name.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 11.2.name.exe.408e43c.3.raw.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 11.2.name.exe.4092a65.5.raw.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 11.2.name.exe.408e43c.3.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 11.2.name.exe.5950000.11.raw.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 4.2.name.exe.48f8090.3.raw.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 4.2.name.exe.48f8090.3.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 11.2.name.exe.3051688.2.raw.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 11.2.name.exe.5954629.10.raw.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 4.2.name.exe.47d8c38.1.raw.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 4.2.name.exe.47d8c38.1.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 11.2.name.exe.4089606.4.raw.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 11.2.name.exe.4089606.4.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 4.2.name.exe.46d79c8.2.raw.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 4.2.name.exe.46d79c8.2.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_00D76091 | 3_2_00D76091 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_00D78A84 | 3_2_00D78A84 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_0164D314 | 3_2_0164D314 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_0772AF60 | 3_2_0772AF60 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_0772F630 | 3_2_0772F630 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_0772CE88 | 3_2_0772CE88 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_07722C30 | 3_2_07722C30 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_07726250 | 3_2_07726250 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_0772BA40 | 3_2_0772BA40 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_07727948 | 3_2_07727948 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_07722113 | 3_2_07722113 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_077251E0 | 3_2_077251E0 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_07728828 | 3_2_07728828 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_07728767 | 3_2_07728767 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_0772AF50 | 3_2_0772AF50 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_0772BF08 | 3_2_0772BF08 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_07725658 | 3_2_07725658 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_07725649 | 3_2_07725649 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_0772BEF8 | 3_2_0772BEF8 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_07724518 | 3_2_07724518 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_07724507 | 3_2_07724507 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_0772C591 | 3_2_0772C591 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_0772C598 | 3_2_0772C598 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_0772D350 | 3_2_0772D350 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_0772A260 | 3_2_0772A260 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_0772A252 | 3_2_0772A252 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_0772AAB8 | 3_2_0772AAB8 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_0772AAA9 | 3_2_0772AAA9 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_07727938 | 3_2_07727938 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_077261F9 | 3_2_077261F9 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_077231C0 | 3_2_077231C0 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_077261A1 | 3_2_077261A1 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_0772B9A8 | 3_2_0772B9A8 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_0772D858 | 3_2_0772D858 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_0772882A | 3_2_0772882A |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_0772A898 | 3_2_0772A898 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 3_2_0772A888 | 3_2_0772A888 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_00CD608D | 4_2_00CD608D |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_00CD6281 | 4_2_00CD6281 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_0569E510 | 4_2_0569E510 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_0569ADE8 | 4_2_0569ADE8 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_05692588 | 4_2_05692588 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_05696998 | 4_2_05696998 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_0569C030 | 4_2_0569C030 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_05694B40 | 4_2_05694B40 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_05695B59 | 4_2_05695B59 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_05693BC8 | 4_2_05693BC8 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_05695259 | 4_2_05695259 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_056936A0 | 4_2_056936A0 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_0569A960 | 4_2_0569A960 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_0569A160 | 4_2_0569A160 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_0569A15E | 4_2_0569A15E |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_0569A950 | 4_2_0569A950 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_0569E924 | 4_2_0569E924 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_0569B108 | 4_2_0569B108 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_05698108 | 4_2_05698108 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_0569E91C | 4_2_0569E91C |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_0569ADD8 | 4_2_0569ADD8 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_0569E9A7 | 4_2_0569E9A7 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_05698C48 | 4_2_05698C48 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_0569C020 | 4_2_0569C020 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_05694008 | 4_2_05694008 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_056980F8 | 4_2_056980F8 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_0569B0F8 | 4_2_0569B0F8 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_0569E8FF | 4_2_0569E8FF |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_0569E8A3 | 4_2_0569E8A3 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_056968B1 | 4_2_056968B1 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_05698880 | 4_2_05698880 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_05698890 | 4_2_05698890 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_0569E756 | 4_2_0569E756 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_05699BC0 | 4_2_05699BC0 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_0569DFC0 | 4_2_0569DFC0 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_0569E780 | 4_2_0569E780 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_0569EE60 | 4_2_0569EE60 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_0569EE4F | 4_2_0569EE4F |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_0569E63E | 4_2_0569E63E |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_056976C0 | 4_2_056976C0 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_05698AA8 | 4_2_05698AA8 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_056986A0 | 4_2_056986A0 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_056976BA | 4_2_056976BA |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_056986B0 | 4_2_056986B0 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_0569368F | 4_2_0569368F |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_05694A98 | 4_2_05694A98 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_05698A98 | 4_2_05698A98 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_0745366F | 4_2_0745366F |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_07451700 | 4_2_07451700 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_07451BA9 | 4_2_07451BA9 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_07451BB8 | 4_2_07451BB8 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 4_2_07452E27 | 4_2_07452E27 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 10_2_00D66091 | 10_2_00D66091 |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Code function: 10_2_00D68A84 | 10_2_00D68A84 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 11_2_0098608D | 11_2_0098608D |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 11_2_00986281 | 11_2_00986281 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 11_2_02AF7ABE | 11_2_02AF7ABE |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 11_2_05219068 | 11_2_05219068 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 11_2_05218468 | 11_2_05218468 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 11_2_05213850 | 11_2_05213850 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 11_2_0521ACC8 | 11_2_0521ACC8 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 11_2_052123A0 | 11_2_052123A0 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 11_2_05212FA8 | 11_2_05212FA8 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 11_2_0521912F | 11_2_0521912F |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 11_2_05219910 | 11_2_05219910 |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Code function: 11_2_0521306F | 11_2_0521306F |
Source: 0000000B.00000002.477861276.0000000005590000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 0000000B.00000002.477861276.0000000005590000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0000000B.00000002.476715022.0000000004087000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 0000000B.00000002.468941603.0000000000402000.00000040.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 0000000B.00000002.468941603.0000000000402000.00000040.00000001.sdmp, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 00000004.00000002.254692678.0000000004551000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000004.00000002.254692678.0000000004551000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 0000000B.00000002.478086503.0000000005950000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 0000000B.00000002.478086503.0000000005950000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: Process Memory Space: name.exe PID: 6612, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: Process Memory Space: name.exe PID: 6612, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: Process Memory Space: name.exe PID: 800, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: Process Memory Space: name.exe PID: 800, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 11.2.name.exe.5950000.11.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 11.2.name.exe.5950000.11.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 4.2.name.exe.47d8c38.1.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 4.2.name.exe.47d8c38.1.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 4.2.name.exe.47d8c38.1.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 11.2.name.exe.5590000.8.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 11.2.name.exe.5590000.8.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 11.2.name.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 11.2.name.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 11.2.name.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 11.2.name.exe.408e43c.3.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 11.2.name.exe.408e43c.3.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 11.2.name.exe.4092a65.5.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 11.2.name.exe.4092a65.5.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 11.2.name.exe.408e43c.3.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 11.2.name.exe.408e43c.3.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 11.2.name.exe.5950000.11.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 11.2.name.exe.5950000.11.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 4.2.name.exe.48f8090.3.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 4.2.name.exe.48f8090.3.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 11.2.name.exe.3051688.2.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 11.2.name.exe.3051688.2.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 11.2.name.exe.5954629.10.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 11.2.name.exe.5954629.10.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 4.2.name.exe.47d8c38.1.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 4.2.name.exe.47d8c38.1.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 11.2.name.exe.4089606.4.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 11.2.name.exe.4089606.4.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 11.2.name.exe.4089606.4.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 4.2.name.exe.46d79c8.2.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 4.2.name.exe.46d79c8.2.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\file.exe | Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\name.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: file.exe, 00000003.00000002.267489782.0000000007A75000.00000004.00000001.sdmp | Binary or memory string: VMware |
Source: file.exe, 0000000A.00000002.478323330.0000000005947000.00000004.00000001.sdmp | Binary or memory string: 8258RemoteFX Synth3D VSC VM Transport Channel8260Number of space available signals received8262Number of space available signals received per second8264Number of data available signals received8266Number of data available signals received per second8268Number of space available signals sent8270Number of space available signals sent per second8272Number of data available signals sent8274Number of data available signals sent per second8276Number of data available event was reset8278Number of data available event was reset per second8280Number of space available event was reset8282Number of space available event was reset per second8244RemoteFX Synth3D VSC VM Device8246Number of created VMT channels8248Number of waiting VMT channels8250Number of connected VMT channels8252Number of disconnected VMT channels8254Total number of created VMT channels8256Number of RDVGM restarted notifications7320WorkflowServiceHost 4.0.0.07322Workflows Created7324Workflows Created Per Second7326Workflows Executing7328Workflows Completed7330Workflows Completed Per Second7332Workflows Aborted7334Workflows Aborted Per Second7336Workflows In Memory7338Workflows Persisted7340Workflows Persisted Per Second7342Workflows Terminated7344Workflows Terminated Per Second7346Workflows Loaded7348Workflows Loaded Per Second7350Workflows Unloaded7352Workflows Unloaded Per Second7354Workflows Suspended7356Workflows Suspended Per Second7358Workflows Idle Per Second7360Average Workflow Load Time7362Average Workflow Load Time Base7364Average Workflow Persist Time7366Average Workflow Persist Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/secy& |
Source: file.exe, 0000000A.00000002.473021861.0000000003191000.00000004.00000001.sdmp | Binary or memory string: l!Hyper-V Virtual Machine Bus Pipes |
Source: file.exe, 0000000A.00000002.477862631.0000000005646000.00000004.00000001.sdmp | Binary or memory string: VHyper-V Dynamic Memory Integration ServiceA |
Source: file.exe, 0000000A.00000003.283195559.0000000005662000.00000004.00000001.sdmp | Binary or memory string: Hyper-V odyhnxjxsoexvdl Bus' |
Source: name.exe, 00000004.00000002.251572904.0000000003551000.00000004.00000001.sdmp | Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: name.exe, 00000004.00000002.251572904.0000000003551000.00000004.00000001.sdmp | Binary or memory string: VMWARE |
Source: name.exe, 00000004.00000002.251572904.0000000003551000.00000004.00000001.sdmp | Binary or memory string: XrA"SOFTWARE\VMware, Inc.\VMware Tools |
Source: name.exe, 00000004.00000002.251572904.0000000003551000.00000004.00000001.sdmp | Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: wscript.exe, 00000000.00000002.217300558.0000023C9F5B0000.00000002.00000001.sdmp, file.exe, 0000000A.00000002.478778610.0000000005FD0000.00000002.00000001.sdmp, name.exe, 0000000B.00000002.478683812.0000000006380000.00000002.00000001.sdmp | Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: file.exe, 00000003.00000002.267489782.0000000007A75000.00000004.00000001.sdmp | Binary or memory string: Win32_VideoController(Standard display types)VMwareMZF7_W99Win32_VideoControllerAU6HH_1NVideoController120060621000000.000000-00039494928display.infMSBDAE93F5W6VPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsDGO2XXF2l |
Source: name.exe, 00000004.00000002.251572904.0000000003551000.00000004.00000001.sdmp | Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 |
Source: file.exe, 0000000A.00000002.477862631.0000000005646000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Dynamic Memory Integration Service/ |
Source: file.exe, 0000000A.00000002.477926995.0000000005665000.00000004.00000001.sdmp | Binary or memory string: Hyper-V odyhnxjxsoexvdl Bus? |
Source: file.exe, 0000000A.00000002.477862631.0000000005646000.00000004.00000001.sdmp | Binary or memory string: VHyper-V Virtual Machine Bus Provider PipesW |
Source: file.exe, 0000000A.00000003.282965781.0000000001366000.00000004.00000001.sdmp | Binary or memory string: terrupts/sec5216Timer Interrupts/sec5218Inter-Processor Interrupts Sent/sec5220Processor Halts/sec5222Monitor Transition Cost5224Context Switch Time5226C1 Transitions/sec5228% C1 Time5230C2 Transitions/sec5232% C2 Time5234C3 Transitions/sec5236% C3 Time5238Frequency5240% of Max Frequency5242Parking Status5244Processor State Flags5246Root Vp Index5248Idle Sequence Number5250Global TSC Count5252Active TSC Count5254Idle Accumulation5256Reference Cycle Count 05258Actual Cycle Count 05260Reference Cycle Count 15262Actual Cycle Count 15264Proximity Domain Id5266Posted Interrupt Notifications/sec5268Guest Run Time5270Idle Time5272% Total Run Time5274% Hypervisor Run Time5276% Guest Run Time5278% Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186Partitions5188Total Pages5190Virtual Processors5192Monitored Notifications5194Modern Standby Entries5196Platform Idle Transitions5198HypervisorStartupCost5282Hyper-V Hypervisor Root Partition5284Virtual Processors5286Virtual TLB Pages5288Address Spaces5290Deposited Pages5292GPA Pages5294GPA Space Modifications/sec5296Virtual TLB Flush Entires/sec5298Recommended Virtual TLB Size53004K GPA pages53022M GPA pages53041G GPA pages5306512G GPA pages53084K device pages53102M device pages53121G device pages5314512G device pages5316Attached Devices5318Device Interrupt Mappings5320I/O TLB Flushes/sec5322I/O TLB Flush Cost5324Device Interrupt Errors5326Device DMA Errors5328Device Interrupt Throttle Events5330Skipped Timer Ticks5332Partition Id5334Nested TLB Size5336Recommended Nested TLB Size5338Nested TLB Free List Size5340Nested TLB Trimmed Pages/sec5342I/O TLB Flushes Base5344Hyper-V Hypervisor Root Virtual Processor5346Total Run Time5348Hypervisor Run Time5350Remote Node Run Time5352Normalized Run Time5354Hypercalls/sec5356Hypercalls Cost5358Page Invalidations/sec5360Page Invalidations Cost5362Control Register Accesses/sec5364Control Register Accesses Cost5366IO Instructions/sec5368IO Instructions Cost5370HLT Instructions/sec5372HLT Instructions Cost5374MWAIT Instructions/sec5376MWAIT Instructions Cost5378CPUID Instructions/sec5380CPUID Instructions Cost5382MSR Accesses/sec5384MSR Accesses Cost5386Other Intercepts/sec5388Other Intercepts Cost5390External Interrupts/sec5392External Interrupts Cost5394Pending Interrupts/sec5396Pending Interrupts Cost5398Emulated Instructions/sec5400Emulated Instructions Cost5402Debug Register Accesses/sec5404Debug Register Accesses Cost5406Page Faul |