Windows Analysis Report
y8kdmHi6x3.exe

Overview

General Information

Sample Name: y8kdmHi6x3.exe
Analysis ID: 560001
MD5: bff363a92ac43ff249652a83dadc02ab
SHA1: 3c7b47a3f4dc3c8555b656505244886cb3a172f5
SHA256: d054e33de2d63966c68b44dd1d1de8a9b7abb76781100fe82423c80e112d4580
Tags: exeNanoCoreRAT
Infos:

Detection

Nanocore AsyncRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: NanoCore
Detected Nanocore Rat
Yara detected AsyncRAT
Antivirus detection for dropped file
Yara detected Nanocore RAT
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Drops PE files to the document folder of the user
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for dropped file
Contains functionality to detect sleep reduction / modifications
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Queries the installation date of Windows
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May infect USB drives
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to read the clipboard data
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
PE file contains executable resources (Code or Archives)
Enables debug privileges
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges
Contains functionality to detect sandboxes (mouse cursor move detection)
Sigma detected: Autorun Keys Modification

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe Avira: detection malicious, Label: HEUR/AGEN.1109339
Source: C:\Users\user\AppData\Local\Temp\RCX831F.tmp Avira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Avira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\Desktop\WINDOWS.EXE Avira: detection malicious, Label: WORM/Dldr.Agent.gqrxn
Source: C:\Users\user\Desktop\WINDOWS.EXE Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7
Source: C:\Users\user\Desktop\WINDOWS.EXE Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\Users\user\Desktop\._cache_Synaptics.exe Avira: detection malicious, Label: WORM/Dldr.Agent.gqrxn
Source: C:\Users\user\Desktop\._cache_Synaptics.exe Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\Users\user\Desktop\._cache_Synaptics.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\Desktop\SYSTEM32.EXE Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\RCX788E.tmp Avira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\AppData\Local\Temp\yi1yMTqS.exe Avira: detection malicious, Label: HEUR/AGEN.1109339
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7
Source: C:\ProgramData\Synaptics\._cache_Synaptics.exe Avira: detection malicious, Label: WORM/Dldr.Agent.gqrxn
Source: C:\ProgramData\Synaptics\._cache_Synaptics.exe Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\ProgramData\Synaptics\._cache_Synaptics.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\Documents\BNAGMGSPLO\~$cache1 Avira: detection malicious, Label: HEUR/AGEN.1109339
Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe Avira: detection malicious, Label: WORM/Dldr.Agent.gqrxn
Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe Avira: detection malicious, Label: W2000M/Dldr.Agent.17651006
Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7
Yara detected Nanocore RAT
Source: Yara match File source: 11.0.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.584130.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.29.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.584130.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4dba750.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.59e0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.584130.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.46231f5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.584130.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.32.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.44fa750.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.29.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.3be31f5.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.584130.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cbff6c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.4619d96.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cb40a4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.461ebcc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.584130.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.3bd9d96.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.45da750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.33.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.584130.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45fff6c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.59e0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.44fa750.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.._cache_WINDOWS.EXE.4379d96.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.584130.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.584130.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.._cache_WINDOWS.EXE.43831f5.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.45da750.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.584130.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.59e4629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46d40a4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.32.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.461ebcc.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45f40a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4bba750.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46dff6c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4ebff6c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4eb40a4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4dba750.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4bba750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.380515314.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.406005434.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.401049585.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.349954370.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000000.430706138.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.562480973.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.412834234.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.415586772.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.392435877.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.420990382.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.356343368.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.439856260.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.431447633.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.561753594.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.329629304.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.460036376.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.441301976.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.439738650.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.417653653.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.381330192.00000000045D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.558823372.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.422157438.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.441431426.0000000003711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.384287270.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.526679054.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.400361614.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.400197509.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.334103669.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.376096056.0000000004331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.436004480.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.459917090.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.406913050.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.429485363.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.374769254.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.443173289.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.459034432.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.441940953.0000000004711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.401818941.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.440103209.0000000003F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.329527934.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.316599175.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.375988189.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.381281938.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.439646112.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.405483096.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: y8kdmHi6x3.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: y8kdmHi6x3.exe PID: 4844, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ._cache_y8kdmHi6x3.exe PID: 6232, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 6964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WINDOWS.EXE PID: 7016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ._cache_WINDOWS.EXE PID: 6580, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 4928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 6632, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ._cache_WINDOWS.EXE PID: 6692, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5244, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 5684, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 4964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 5976, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\Desktop\._cache_WINDOWS.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\WINDOWS.EXE, type: DROPPED
Source: Yara match File source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\._cache_Synaptics.exe, type: DROPPED
Multi AV Scanner detection for submitted file
Source: y8kdmHi6x3.exe Virustotal: Detection: 57% Perma Link
Source: y8kdmHi6x3.exe Metadefender: Detection: 48% Perma Link
Source: y8kdmHi6x3.exe ReversingLabs: Detection: 81%
Antivirus / Scanner detection for submitted sample
Source: y8kdmHi6x3.exe Avira: detected
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Metadefender: Detection: 88% Perma Link
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe ReversingLabs: Detection: 97%
Source: C:\ProgramData\Synaptics\._cache_Synaptics.exe ReversingLabs: Detection: 92%
Source: C:\ProgramData\Synaptics\Synaptics.exe Metadefender: Detection: 48% Perma Link
Source: C:\ProgramData\Synaptics\Synaptics.exe ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Temp\RCX831F.tmp Metadefender: Detection: 47% Perma Link
Source: C:\Users\user\AppData\Local\Temp\RCX831F.tmp ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Local\Temp\yi1yMTqS.exe Metadefender: Detection: 48% Perma Link
Source: C:\Users\user\AppData\Local\Temp\yi1yMTqS.exe ReversingLabs: Detection: 81%
Source: C:\Users\user\Desktop\._cache_Synaptics.exe ReversingLabs: Detection: 92%
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Metadefender: Detection: 88% Perma Link
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE ReversingLabs: Detection: 97%
Machine Learning detection for sample
Source: y8kdmHi6x3.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\WINDOWS.EXE Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\._cache_Synaptics.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\SYSTEM32.EXE Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\yi1yMTqS.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Joe Sandbox ML: detected
Source: C:\ProgramData\Synaptics\._cache_Synaptics.exe Joe Sandbox ML: detected
Source: C:\Users\user\Documents\BNAGMGSPLO\~$cache1 Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 21.0.Synaptics.exe.400000.21.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 21.0.Synaptics.exe.400000.21.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 21.0.Synaptics.exe.400000.21.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 21.0.Synaptics.exe.400000.21.unpack Avira: Label: TR/Dropper.Gen
Source: 21.0.Synaptics.exe.400000.21.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 7.0.SYSTEM32.EXE.da0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 16.0.._cache_WINDOWS.EXE.d70000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.0.._cache_WINDOWS.EXE.5b0000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 23.0.Synaptics.exe.400000.8.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 23.0.Synaptics.exe.400000.8.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 23.0.Synaptics.exe.400000.8.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 23.0.Synaptics.exe.400000.8.unpack Avira: Label: TR/Dropper.Gen
Source: 23.0.Synaptics.exe.400000.8.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 4.0.y8kdmHi6x3.exe.400000.6.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 4.0.y8kdmHi6x3.exe.400000.6.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 4.0.y8kdmHi6x3.exe.400000.6.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 4.0.y8kdmHi6x3.exe.400000.6.unpack Avira: Label: TR/Dropper.Gen
Source: 4.0.y8kdmHi6x3.exe.400000.6.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 16.2.._cache_WINDOWS.EXE.d70000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.2.y8kdmHi6x3.exe.400000.0.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 4.2.y8kdmHi6x3.exe.400000.0.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 4.2.y8kdmHi6x3.exe.400000.0.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 4.2.y8kdmHi6x3.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 4.2.y8kdmHi6x3.exe.400000.0.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 23.0.Synaptics.exe.400000.6.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 23.0.Synaptics.exe.400000.6.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 23.0.Synaptics.exe.400000.6.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 23.0.Synaptics.exe.400000.6.unpack Avira: Label: TR/Dropper.Gen
Source: 23.0.Synaptics.exe.400000.6.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 4.0.y8kdmHi6x3.exe.400000.16.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 4.0.y8kdmHi6x3.exe.400000.16.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 4.0.y8kdmHi6x3.exe.400000.16.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 4.0.y8kdmHi6x3.exe.400000.16.unpack Avira: Label: TR/Dropper.Gen
Source: 4.0.y8kdmHi6x3.exe.400000.16.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 4.0.y8kdmHi6x3.exe.400000.10.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 4.0.y8kdmHi6x3.exe.400000.10.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 4.0.y8kdmHi6x3.exe.400000.10.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 4.0.y8kdmHi6x3.exe.400000.10.unpack Avira: Label: TR/Dropper.Gen
Source: 4.0.y8kdmHi6x3.exe.400000.10.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 21.2.Synaptics.exe.400000.0.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 21.2.Synaptics.exe.400000.0.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 21.2.Synaptics.exe.400000.0.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 21.2.Synaptics.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 21.2.Synaptics.exe.400000.0.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 23.0.Synaptics.exe.400000.12.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 23.0.Synaptics.exe.400000.12.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 23.0.Synaptics.exe.400000.12.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 23.0.Synaptics.exe.400000.12.unpack Avira: Label: TR/Dropper.Gen
Source: 23.0.Synaptics.exe.400000.12.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 11.2.._cache_WINDOWS.EXE.5b0000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.0.Synaptics.exe.400000.12.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 21.0.Synaptics.exe.400000.12.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 21.0.Synaptics.exe.400000.12.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 21.0.Synaptics.exe.400000.12.unpack Avira: Label: TR/Dropper.Gen
Source: 21.0.Synaptics.exe.400000.12.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 20.0.Synaptics.exe.400000.16.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 20.0.Synaptics.exe.400000.16.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 20.0.Synaptics.exe.400000.16.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 20.0.Synaptics.exe.400000.16.unpack Avira: Label: TR/Dropper.Gen
Source: 20.0.Synaptics.exe.400000.16.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 4.0.y8kdmHi6x3.exe.400000.8.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 4.0.y8kdmHi6x3.exe.400000.8.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 4.0.y8kdmHi6x3.exe.400000.8.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 4.0.y8kdmHi6x3.exe.400000.8.unpack Avira: Label: TR/Dropper.Gen
Source: 4.0.y8kdmHi6x3.exe.400000.8.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 23.0.Synaptics.exe.400000.10.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 23.0.Synaptics.exe.400000.10.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 23.0.Synaptics.exe.400000.10.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 23.0.Synaptics.exe.400000.10.unpack Avira: Label: TR/Dropper.Gen
Source: 23.0.Synaptics.exe.400000.10.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 20.0.Synaptics.exe.400000.10.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 20.0.Synaptics.exe.400000.10.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 20.0.Synaptics.exe.400000.10.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 20.0.Synaptics.exe.400000.10.unpack Avira: Label: TR/Dropper.Gen
Source: 20.0.Synaptics.exe.400000.10.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 23.0.Synaptics.exe.400000.14.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 23.0.Synaptics.exe.400000.14.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 23.0.Synaptics.exe.400000.14.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 23.0.Synaptics.exe.400000.14.unpack Avira: Label: TR/Dropper.Gen
Source: 23.0.Synaptics.exe.400000.14.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 9.2.WINDOWS.EXE.400000.0.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 9.2.WINDOWS.EXE.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 9.2.WINDOWS.EXE.400000.0.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 20.0.Synaptics.exe.400000.12.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 20.0.Synaptics.exe.400000.12.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 20.0.Synaptics.exe.400000.12.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 20.0.Synaptics.exe.400000.12.unpack Avira: Label: TR/Dropper.Gen
Source: 20.0.Synaptics.exe.400000.12.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 20.0.Synaptics.exe.400000.31.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 20.0.Synaptics.exe.400000.31.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 20.0.Synaptics.exe.400000.31.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 20.0.Synaptics.exe.400000.31.unpack Avira: Label: TR/Dropper.Gen
Source: 20.0.Synaptics.exe.400000.31.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 21.0.Synaptics.exe.400000.4.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 21.0.Synaptics.exe.400000.4.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 21.0.Synaptics.exe.400000.4.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 21.0.Synaptics.exe.400000.4.unpack Avira: Label: TR/Dropper.Gen
Source: 21.0.Synaptics.exe.400000.4.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 21.0.Synaptics.exe.400000.8.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 21.0.Synaptics.exe.400000.8.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 21.0.Synaptics.exe.400000.8.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 21.0.Synaptics.exe.400000.8.unpack Avira: Label: TR/Dropper.Gen
Source: 21.0.Synaptics.exe.400000.8.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 20.0.Synaptics.exe.400000.8.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 20.0.Synaptics.exe.400000.8.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 20.0.Synaptics.exe.400000.8.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 20.0.Synaptics.exe.400000.8.unpack Avira: Label: TR/Dropper.Gen
Source: 20.0.Synaptics.exe.400000.8.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 20.0.Synaptics.exe.400000.21.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 20.0.Synaptics.exe.400000.21.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 20.0.Synaptics.exe.400000.21.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 20.0.Synaptics.exe.400000.21.unpack Avira: Label: TR/Dropper.Gen
Source: 20.0.Synaptics.exe.400000.21.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 23.2.Synaptics.exe.400000.0.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 23.2.Synaptics.exe.400000.0.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 23.2.Synaptics.exe.400000.0.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 23.2.Synaptics.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 23.2.Synaptics.exe.400000.0.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 19.0.dhcpmon.exe.e20000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.0.y8kdmHi6x3.exe.400000.4.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 4.0.y8kdmHi6x3.exe.400000.4.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 4.0.y8kdmHi6x3.exe.400000.4.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 4.0.y8kdmHi6x3.exe.400000.4.unpack Avira: Label: TR/Dropper.Gen
Source: 4.0.y8kdmHi6x3.exe.400000.4.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 21.0.Synaptics.exe.400000.14.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 21.0.Synaptics.exe.400000.14.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 21.0.Synaptics.exe.400000.14.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 21.0.Synaptics.exe.400000.14.unpack Avira: Label: TR/Dropper.Gen
Source: 21.0.Synaptics.exe.400000.14.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 20.0.Synaptics.exe.400000.14.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 20.0.Synaptics.exe.400000.14.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 20.0.Synaptics.exe.400000.14.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 20.0.Synaptics.exe.400000.14.unpack Avira: Label: TR/Dropper.Gen
Source: 20.0.Synaptics.exe.400000.14.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 7.2.SYSTEM32.EXE.da0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 21.0.Synaptics.exe.400000.6.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 21.0.Synaptics.exe.400000.6.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 21.0.Synaptics.exe.400000.6.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 21.0.Synaptics.exe.400000.6.unpack Avira: Label: TR/Dropper.Gen
Source: 21.0.Synaptics.exe.400000.6.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 20.0.Synaptics.exe.400000.4.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 20.0.Synaptics.exe.400000.4.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 20.0.Synaptics.exe.400000.4.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 20.0.Synaptics.exe.400000.4.unpack Avira: Label: TR/Dropper.Gen
Source: 20.0.Synaptics.exe.400000.4.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 21.0.Synaptics.exe.400000.16.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 21.0.Synaptics.exe.400000.16.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 21.0.Synaptics.exe.400000.16.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 21.0.Synaptics.exe.400000.16.unpack Avira: Label: TR/Dropper.Gen
Source: 21.0.Synaptics.exe.400000.16.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 4.0.y8kdmHi6x3.exe.400000.12.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 4.0.y8kdmHi6x3.exe.400000.12.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 4.0.y8kdmHi6x3.exe.400000.12.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 4.0.y8kdmHi6x3.exe.400000.12.unpack Avira: Label: TR/Dropper.Gen
Source: 4.0.y8kdmHi6x3.exe.400000.12.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 23.0.Synaptics.exe.400000.21.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 23.0.Synaptics.exe.400000.21.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 23.0.Synaptics.exe.400000.21.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 23.0.Synaptics.exe.400000.21.unpack Avira: Label: TR/Dropper.Gen
Source: 23.0.Synaptics.exe.400000.21.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 20.0.Synaptics.exe.400000.26.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 20.0.Synaptics.exe.400000.26.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 20.0.Synaptics.exe.400000.26.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 20.0.Synaptics.exe.400000.26.unpack Avira: Label: TR/Dropper.Gen
Source: 20.0.Synaptics.exe.400000.26.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 11.2.._cache_WINDOWS.EXE.59e0000.7.unpack Avira: Label: TR/NanoCore.fadte
Source: 23.0.Synaptics.exe.400000.4.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 23.0.Synaptics.exe.400000.4.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 23.0.Synaptics.exe.400000.4.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 23.0.Synaptics.exe.400000.4.unpack Avira: Label: TR/Dropper.Gen
Source: 23.0.Synaptics.exe.400000.4.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 19.2.dhcpmon.exe.e20000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 20.0.Synaptics.exe.400000.6.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 20.0.Synaptics.exe.400000.6.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 20.0.Synaptics.exe.400000.6.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 20.0.Synaptics.exe.400000.6.unpack Avira: Label: TR/Dropper.Gen
Source: 20.0.Synaptics.exe.400000.6.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 23.0.Synaptics.exe.400000.16.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 23.0.Synaptics.exe.400000.16.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 23.0.Synaptics.exe.400000.16.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 23.0.Synaptics.exe.400000.16.unpack Avira: Label: TR/Dropper.Gen
Source: 23.0.Synaptics.exe.400000.16.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 4.0.y8kdmHi6x3.exe.400000.21.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 4.0.y8kdmHi6x3.exe.400000.21.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 4.0.y8kdmHi6x3.exe.400000.21.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 4.0.y8kdmHi6x3.exe.400000.21.unpack Avira: Label: TR/Dropper.Gen
Source: 4.0.y8kdmHi6x3.exe.400000.21.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 4.0.y8kdmHi6x3.exe.400000.14.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 4.0.y8kdmHi6x3.exe.400000.14.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 4.0.y8kdmHi6x3.exe.400000.14.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 4.0.y8kdmHi6x3.exe.400000.14.unpack Avira: Label: TR/Dropper.Gen
Source: 4.0.y8kdmHi6x3.exe.400000.14.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 9.0.WINDOWS.EXE.400000.0.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 9.0.WINDOWS.EXE.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 9.0.WINDOWS.EXE.400000.0.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 21.0.Synaptics.exe.400000.10.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 21.0.Synaptics.exe.400000.10.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 21.0.Synaptics.exe.400000.10.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 21.0.Synaptics.exe.400000.10.unpack Avira: Label: TR/Dropper.Gen
Source: 21.0.Synaptics.exe.400000.10.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 20.2.Synaptics.exe.400000.0.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 20.2.Synaptics.exe.400000.0.unpack Avira: Label: W2000M/Dldr.Agent.17651006
Source: 20.2.Synaptics.exe.400000.0.unpack Avira: Label: WORM/Dldr.Agent.gqrxn
Source: 20.2.Synaptics.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 20.2.Synaptics.exe.400000.0.unpack Avira: Label: W2000M/Dldr.Agent.17651006

Compliance
barindex
Uses 32bit PE files
Source: y8kdmHi6x3.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
Source: unknown HTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.3:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.3:49765 version: TLS 1.2
Source: y8kdmHi6x3.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: y8kdmHi6x3.exe, 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, y8kdmHi6x3.exe, 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, ._cache_y8kdmHi6x3.exe, 00000006.00000000.323334149.00000000003C9000.00000002.00000001.01000000.00000005.sdmp, ._cache_y8kdmHi6x3.exe, 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmp, Synaptics.exe, 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Synaptics.exe, 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Synaptics.exe, 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: &C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: y8kdmHi6x3.exe, 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, y8kdmHi6x3.exe, 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, ._cache_y8kdmHi6x3.exe, 00000006.00000000.323334149.00000000003C9000.00000002.00000001.01000000.00000005.sdmp, ._cache_y8kdmHi6x3.exe, 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmp, Synaptics.exe, 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Synaptics.exe, 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Synaptics.exe, 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp

Spreading
barindex
May infect USB drives
Source: y8kdmHi6x3.exe, 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: y8kdmHi6x3.exe, 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: y8kdmHi6x3.exe, 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: y8kdmHi6x3.exe Binary or memory string: autorun.inf
Source: y8kdmHi6x3.exe Binary or memory string: [autorun]
Source: y8kdmHi6x3.exe, 00000004.00000000.317412867.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: y8kdmHi6x3.exe, 00000004.00000000.317412867.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: y8kdmHi6x3.exe, 00000004.00000000.317412867.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: y8kdmHi6x3.exe, 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: y8kdmHi6x3.exe, 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: y8kdmHi6x3.exe, 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: y8kdmHi6x3.exe, 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: y8kdmHi6x3.exe, 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: y8kdmHi6x3.exe, 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: y8kdmHi6x3.exe, 00000004.00000000.310332438.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: y8kdmHi6x3.exe, 00000004.00000000.310332438.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: y8kdmHi6x3.exe, 00000004.00000000.310332438.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: ._cache_y8kdmHi6x3.exe, 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp Binary or memory string: [autorun]
Source: ._cache_y8kdmHi6x3.exe, 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp Binary or memory string: [autorun]
Source: ._cache_y8kdmHi6x3.exe, 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp Binary or memory string: autorun.inf
Source: Synaptics.exe, 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: WINDOWS.EXE Binary or memory string: autorun.inf
Source: WINDOWS.EXE Binary or memory string: [autorun]
Source: WINDOWS.EXE, 00000009.00000000.329285707.0000000000401000.00000020.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: WINDOWS.EXE, 00000009.00000000.329285707.0000000000401000.00000020.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: WINDOWS.EXE, 00000009.00000000.329285707.0000000000401000.00000020.00000001.01000000.00000008.sdmp Binary or memory string: autorun.inf
Source: Synaptics.exe, 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: Synaptics.exe, 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: Synaptics.exe, 00000014.00000000.386522455.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000014.00000000.386522455.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000014.00000000.386522455.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: Synaptics.exe, 00000014.00000000.442202940.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000014.00000000.442202940.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000014.00000000.442202940.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: Synaptics.exe, 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: Synaptics.exe, 00000014.00000000.375965168.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000014.00000000.375965168.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000014.00000000.375965168.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: Synaptics.exe, 00000015.00000000.387756997.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000015.00000000.387756997.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000015.00000000.387756997.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: Synaptics.exe, 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: Synaptics.exe, 00000015.00000002.401565081.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000015.00000002.401565081.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000015.00000002.401565081.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: Synaptics.exe, 00000015.00000000.380393313.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000015.00000000.380393313.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000015.00000000.380393313.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: Synaptics.exe, 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: Synaptics.exe, 00000017.00000000.392515313.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000017.00000000.392515313.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000017.00000000.392515313.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: Synaptics.exe, 00000017.00000002.422072691.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000017.00000002.422072691.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000017.00000002.422072691.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_004099E0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 4_2_004099E0
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_00406018 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 4_2_00406018
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_004099E0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 9_2_004099E0
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_00406018 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 9_2_00406018
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_00409B1C FindFirstFileA,GetLastError, 9_2_00409B1C

Networking
barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49751 -> 54.38.136.57:53811
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49755 -> 54.38.136.57:53811
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49757 -> 54.38.136.57:53811
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49783 -> 54.38.136.57:53811
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49785 -> 54.38.136.57:53811
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49786 -> 54.38.136.57:53811
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49804 -> 54.38.136.57:53811
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49812 -> 54.38.136.57:53811
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49829 -> 54.38.136.57:53811
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49848 -> 54.38.136.57:53811
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49853 -> 54.38.136.57:53811
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49855 -> 54.38.136.57:53811
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 54.38.136.57 ports 48129,1,2,8808,4,8,53811,9
Uses dynamic DNS services
Source: unknown DNS query: name: freedns.afraid.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49749 -> 54.38.136.57:48129
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
Source: Synaptics.exe, 00000014.00000002.527570253.00000000012C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978$1
Source: SYSTEM32.EXE String found in binary or memory: http://schemas.microsof
Source: WINDOWS.EXE, 00000009.00000003.336747478.00000000022F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dl
Source: Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll
Source: Synaptics.exe, 00000014.00000002.527933860.0000000002E10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll6
Source: y8kdmHi6x3.exe, 00000004.00000003.328489668.0000000003030000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dlp
Source: Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://xred.site50.net/syn/SUpdate.ini
Source: y8kdmHi6x3.exe, 00000004.00000003.328489668.0000000003030000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://xred.site50.net/syn/SUpdate.iniD0
Source: WINDOWS.EXE, 00000009.00000003.336747478.00000000022F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://xred.site50.net/syn/SUpdate.iniD0/
Source: Synaptics.exe, 00000014.00000002.527933860.0000000002E10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://xred.site50.net/syn/SUpdate.iniZ
Source: Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://xred.site50.net/syn/Synaptics.rar
Source: Synaptics.exe, 00000014.00000002.527933860.0000000002E10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://xred.site50.net/syn/Synaptics.rarZ
Source: Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.438951576.00000000079C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: Synaptics.exe, 00000014.00000000.431941807.0000000001373000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/7
Source: Synaptics.exe, 00000014.00000000.431941807.0000000001373000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/7A8
Source: Synaptics.exe, 00000014.00000002.529402333.0000000007916000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/w
Source: Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.438951576.00000000079C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
Source: Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.goo
Source: Synaptics.exe, 00000014.00000000.448364389.0000000008ECE000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://docs.goog
Source: Synaptics.exe, 00000014.00000002.527672867.000000000131A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.447489062.00000000079A3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/
Source: Synaptics.exe, 00000014.00000000.447489062.00000000079A3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/S
Source: y8kdmHi6x3.exe, 00000004.00000003.328489668.0000000003030000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downlo
Source: Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
Source: Synaptics.exe, 00000014.00000002.527933860.0000000002E10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downloadN
Source: WINDOWS.EXE, 00000009.00000003.336747478.00000000022F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downlop
Source: Synaptics.exe, 00000014.00000000.446360400.0000000006DFD000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000002.531566369.000000000950E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.433312249.000000000717D000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.448502612.00000000093CE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000002.531400258.000000000900E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.433243588.000000000703D000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000002.531929602.0000000009D4E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000002.531339154.0000000008D8E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000002.531642477.000000000978E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.440101952.0000000008AFE000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&expo
Source: Synaptics.exe, 00000014.00000000.448472655.000000000928E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.448435227.000000000914E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000002.531299488.0000000008C4E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.448937298.0000000009C0E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.448040198.00000000084FE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.448191184.000000000877E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000002.531838895.0000000009ACE000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.448565852.000000000964E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.432142261.000000000353D000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.439872700.000000000863E000.00000004.00000010.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.440050531.00000000089BE000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=d
Source: WINDOWS.EXE, 00000009.00000003.336747478.00000000022F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downlo
Source: Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download#
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.438951576.00000000079C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download$
Source: Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download%
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download(
Source: Synaptics.exe, 00000014.00000002.527672867.000000000131A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download(o2
Source: Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download)
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download.
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download/c
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0v
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download0x
Source: Synaptics.exe, 00000014.00000000.438951576.00000000079C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download1
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download12
Source: Synaptics.exe, 00000014.00000002.527672867.000000000131A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download2
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download5
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download6
Source: Synaptics.exe, 00000014.00000000.431941807.0000000001373000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download8
Source: Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000002.527570253.00000000012C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download9
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadB
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadCo
Source: Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadE
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadF
Source: Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.438951576.00000000079C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadI
Source: Synaptics.exe, 00000014.00000002.527933860.0000000002E10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadJ
Source: Synaptics.exe, 00000014.00000000.431941807.0000000001373000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadK
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadL
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadN
Source: Synaptics.exe, 00000014.00000000.431941807.0000000001373000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadP
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadT
Source: Synaptics.exe, 00000014.00000000.431941807.0000000001373000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadU
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000002.527570253.00000000012C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadV
Source: Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadY
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download_
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloada
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadb
Source: Synaptics.exe, 00000014.00000000.431941807.0000000001373000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadd
Source: Synaptics.exe, 00000014.00000002.527570253.00000000012C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloade
Source: Synaptics.exe, 00000014.00000002.527672867.000000000131A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadeF
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadf
Source: Synaptics.exe, 00000014.00000002.527570253.00000000012C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadgh
Source: Synaptics.exe, 00000014.00000000.431941807.0000000001373000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadi
Source: Synaptics.exe, 00000014.00000000.438951576.00000000079C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadj
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadl
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadn
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloado
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadpv
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadpx
Source: Synaptics.exe, 00000014.00000000.431941807.0000000001373000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadq
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadt.be
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadtoN
Source: Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadu
Source: Synaptics.exe, 00000014.00000000.431941807.0000000001373000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadv
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.438951576.00000000079C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadw
Source: Synaptics.exe, 00000014.00000000.438951576.00000000079C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadzC
Source: Synaptics.exe, 00000014.00000002.529484734.0000000007922000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloadzQ
Source: Synaptics.exe, 00000014.00000000.431941807.0000000001373000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download~
Source: Synaptics.exe, 00000014.00000002.527672867.000000000131A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download~S
Source: y8kdmHi6x3.exe, 00000004.00000003.328489668.0000000003030000.00000004.00000800.00020000.00000000.sdmp, WINDOWS.EXE, 00000009.00000003.336747478.00000000022F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloX
Source: y8kdmHi6x3.exe, 00000004.00000003.328489668.0000000003030000.00000004.00000800.00020000.00000000.sdmp, WINDOWS.EXE, 00000009.00000003.336747478.00000000022F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloXO
Source: Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
Source: Synaptics.exe, 00000014.00000002.527933860.0000000002E10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloadN
Source: WINDOWS.EXE, 00000009.00000003.336747478.00000000022F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=
Source: Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
Source: Synaptics.exe, 00000014.00000002.527933860.0000000002E10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1:
Source: y8kdmHi6x3.exe, 00000004.00000003.328489668.0000000003030000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=8
Source: WINDOWS.EXE, 00000009.00000003.336747478.00000000022F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl
Source: Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
Source: Synaptics.exe, 00000014.00000002.527933860.0000000002E10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=16
Source: Synaptics.exe, 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
Source: Synaptics.exe, 00000014.00000002.527933860.0000000002E10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1:
Source: unknown DNS traffic detected: queries for: agonizing-bat.auto.playit.gg
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_00474D50 InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle, 4_2_00474D50
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download HTTP/1.1User-Agent: Synaptics.exeHost: docs.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 HTTP/1.1User-Agent: MyAppHost: freedns.afraid.orgCache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'nonce-h8PmNUY3Lxp2hZQHX+d9yQ' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Date: Wed, 26 Jan 2022 01:40:42 GMTExpires: Wed, 26 Jan 2022 01:40:42 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=SSVn4-j59JXsTzxw847lfqJIID7zKof-Xkcxy3fnYPbOQF2K_rhItUDKpUam4CimsZa0ZkCNsNF-p5jihI9D9v5_JpNDmEeXc8nvpPuWdC1Y-5-xdpfIrOe7Xgo8_7k6NVyKXkeYW_T_LgorYz9SrXu0RFiFNl_tuUgPHfJZcdM; expires=Thu, 28-Jul-2022 01:40:41 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'nonce-MnbeCR+DLosHit1O26Q8ng' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Date: Wed, 26 Jan 2022 01:40:42 GMTExpires: Wed, 26 Jan 2022 01:40:42 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=Z9NzJjnPWUitQLAoJHeuMMuo7U2KlbjEgRTwO6DBDzKkE9bNbTk7QrgaCNMw7qYQFNh3y6NAHppTjvVahiaNwwztWY1HVVfW-N_CaP8ut_6I2UiEdontaeBHy3IXTvLOy8WJyEVXH-OcRIRxCituWMrRoGdSseIThKXC76zDRX8; expires=Thu, 28-Jul-2022 01:40:41 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'nonce-YXDM5qvdo8b2sWEK1L9uVw' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Date: Wed, 26 Jan 2022 01:40:42 GMTExpires: Wed, 26 Jan 2022 01:40:42 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=ItB4rggOjE7L83nmMdJfyQhAXU45o48wqAdRB-lL5Ie-MdQjOv3okMid3WbfMDZHbnDZr5k9aqXXvSn4CBTAwHSyCdMEU1QFmYWvxj_Bxyqo2--MwRLKKn67BRFBYD59EXcasAatKWIUcsJscCR7xpunrw5_i7il4Vlwvg1bm0Y; expires=Thu, 28-Jul-2022 01:40:42 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Content-Security-Policy: script-src 'nonce-qUQ/asTtDE7He0Vml9HmZA' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Date: Wed, 26 Jan 2022 01:40:42 GMTExpires: Wed, 26 Jan 2022 01:40:42 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=GsvAX0t__-cMfTHedu1r9_YWhq8dTNOVby6k30MueLAVtOkLaQZHzdz00YyNq18rbdjPdyc0Y4iU6Kprz94a8dWdD6HYvujbvGXtTMbrJ3VWJ8_KcKALdwMx3u4pWl4yDWktspyOAhFbeHv2Cp3cvEGHz7ybCheljHi7wIYyQiw; expires=Thu, 28-Jul-2022 01:40:42 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'nonce-RzI2vKOO/RcM9o2uC+wZFw' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Date: Wed, 26 Jan 2022 01:40:42 GMTExpires: Wed, 26 Jan 2022 01:40:42 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=oHsspnoaoRPvcVOBycmUhuol6EoOLvfMWKH14ADwtMfMkSbpD4McXBo-NIiw6WK2tPXLjhAxXrYi2j5Wwdpvid_dF8gzqeWxh1UK7pTsTjP_eApiv0c3T4yzPwYAKv1vSBfh3DOcMmuNNBAVV__pNTcD74huBhRy_r2KZ3mXhAA; expires=Thu, 28-Jul-2022 01:40:42 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'nonce-3MXOmncPcJvKr/WLBVs8Mw' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Date: Wed, 26 Jan 2022 01:40:42 GMTExpires: Wed, 26 Jan 2022 01:40:42 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=mjLYExoCbbzoBBUNtGENtY1M0qKSlrmcXoYIJs_CCALnZCIBOqRp-6QCq8BTRpdonT8b51hpbQiifNkp-lDolBQYDmXkMflxAtOsGTOCzEEwcE_m_YCznKVQUDPJwzWP67jsK7TbGuvkjGhB4aiIzcwX0QCU0QfLneZL1N-82lk; expires=Thu, 28-Jul-2022 01:40:42 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Content-Security-Policy: script-src 'nonce-ftrJSB7t2WqD3Wc0doJpzQ' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Date: Wed, 26 Jan 2022 01:40:43 GMTExpires: Wed, 26 Jan 2022 01:40:43 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=tgTMfZ7NTv3R_IbrSihjBb2kk2KK_CmJAfjV8L7E1gj4Y4KyElEhEF7auzo5NNAF14Er8xmdQUjR1JrqDdruxUCOf144megLwLiTcIrUnMGZ3M5zqxV_TbzDZP_KcKlSmjUpwVMXYOVgPbfDy-mE52xpmx5XYc-gW0fNu7Lj6xE; expires=Thu, 28-Jul-2022 01:40:42 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Content-Security-Policy: script-src 'nonce-g3DFDAYiVjvuKejFhieIhA' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Date: Wed, 26 Jan 2022 01:40:43 GMTExpires: Wed, 26 Jan 2022 01:40:43 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=XWSM1KThS4sUsrpzKBe-UXkKfBYAOV_V-pBG4TKFtlwNETSmBsNYLPwdIwLP0C-cxljhicCjVhOhPmGHGngvqmlM2xSVvWyVCpJQp2pHYXPcOD30RrXp7d7_kmx8iB9z6zkwLZ1gA4C9LvCNMS4ZvE6vwxPFj2YLPWJWrLwBtuU; expires=Thu, 28-Jul-2022 01:40:42 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Content-Security-Policy: script-src 'nonce-UDhg3Ol/vxNIFYfR64ajjw' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Date: Wed, 26 Jan 2022 01:40:43 GMTExpires: Wed, 26 Jan 2022 01:40:43 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=orlJ0NdqZKBuJgdBAEhrpiJB9dinWrdefjKHLXO8dDrwrs2Gl1KvH5O7_-hmsGmBPar5jEJIZpwkTCp2aADXUJ0v22jDK2OpqNdmc3PhtYeUGrfIsg6cJvKc8XJd9d_le0i0QmiTXebU0Dlow0IYxVePmxM_0xdnuzLXfA_AGj0; expires=Thu, 28-Jul-2022 01:40:43 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Content-Security-Policy: script-src 'nonce-nGVV6uaGbC+cgXeCHrTnSA' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Date: Wed, 26 Jan 2022 01:40:43 GMTExpires: Wed, 26 Jan 2022 01:40:43 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=VdtJ7dEWxYuwyj39zjdCItptsaZ6X41Pt1W2YzyShAKVYzCo0n_VAjG3Kn-q7l3N32RNwv0zA2ey7csKpdnOYEPwRG8aljEu-tCTLhtS6O7TKkJJn4tmHfofq494iuEnE3vtL1knh7Pf5mhXt5w5tA2uLL2slaN9xSnjd-w54RM; expires=Thu, 28-Jul-2022 01:40:43 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Content-Security-Policy: script-src 'nonce-RdHp+ZvfKKgbks87zRU3qw' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Date: Wed, 26 Jan 2022 01:40:43 GMTExpires: Wed, 26 Jan 2022 01:40:43 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=myEvXuTvmjxcm4mnQp4ui8yq_pOmgMJXZ4qPt8sg5dP6BwW624u9fHxPm5SLfaDR1bn3DRtOVcQUmhGJb-8EKyJI7IqoDlJu-Yimrlw3LeFe0RflH1gxCzx21qwDBT5nfkHN9MrZplq9LIxFpB6oGRU1iePbOAj1ojcanT9iX_g; expires=Thu, 28-Jul-2022 01:40:43 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Content-Security-Policy: script-src 'nonce-5xU30urGcRrPcxntL4QFLA' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Date: Wed, 26 Jan 2022 01:40:43 GMTExpires: Wed, 26 Jan 2022 01:40:43 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=IZ6IVToh4zcgc4x1sK0NAA7spP8dwoR3XdYssI9Pua_F_DpwrV1d7A2Lplg8ZiHtNOapGJdXunEw6OYhdWwZhh5BxFEnWLJm3lGH0S_UX5kgHKRMYqUNqOgw-QSKsMVLz69xPBGSBWDQ0g4zqPg2fWvSD6Mzlg5dqGcoGip1x00; expires=Thu, 28-Jul-2022 01:40:43 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Content-Security-Policy: script-src 'nonce-vjtjcs1W4e/lOQ1cPPxnLQ' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Date: Wed, 26 Jan 2022 01:40:43 GMTExpires: Wed, 26 Jan 2022 01:40:43 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=Vdgur68JofFWxSUhQckp8zV0Ef0ZTFKVUJ8d5I7w3wEVePra58Z4_uxGHewkEDv_U56WgYsIry6fzKCoIDq_XnVime8D9MZwNFwdrBRbEIFbenKPqF_DFmtRfk6NxThU8hv4EwxUkU88wcM1eVL3wKXNvecBnLUZFwUV5PX3e9Q; expires=Thu, 28-Jul-2022 01:40:43 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_gse_l9ocaq"Report-To: {"group":"coop_gse_l9ocaq","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gse_l9ocaq"}]}Content-Security-Policy: script-src 'nonce-sPLIUksRvialjFnyjQevTQ' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/Date: Wed, 26 Jan 2022 01:40:43 GMTExpires: Wed, 26 Jan 2022 01:40:43 GMTCache-Control: private, max-age=0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockServer: GSESet-Cookie: NID=511=WFRHPG-cDuXn9NqSuf0VuWUkAVPh5GdWWBMC9Ru1r6X6fT83oiT3knyYXEyjiVM_qb89t-XLdImlV-942jaLFcvX5D8TlLCmy87ko9TMEaSPrPNdarZ8TaE063oXe5MvEO7vd0XWYuVzSFICtzlQxwzQzt7o0ltS-HOTCTQepZI; expires=Thu, 28-Jul-2022 01:40:43 GMT; path=/; domain=.google.com; HttpOnlyAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site,Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: Synaptics.exe, 00000014.00000000.447541518.00000000079D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *.google.com*.appengine.google.com*.bdn.dev*.cloud.google.com*.crowdsource.google.com*.datacompute.google.com*.google.ca*.google.cl*.google.co.in*.google.co.jp*.google.co.uk*.google.com.ar*.google.com.au*.google.com.br*.google.com.co*.google.com.mx*.google.com.tr*.google.com.vn*.google.de*.google.es*.google.fr*.google.hu*.google.it*.google.nl*.google.pl*.google.pt*.googleadapis.com*.googleapis.cn*.googlevideo.com*.gstatic.cn*.gstatic-cn.comgooglecnapps.cn*.googlecnapps.cngoogleapps-cn.com*.googleapps-cn.comgkecnapps.cn*.gkecnapps.cngoogledownloads.cn*.googledownloads.cnrecaptcha.net.cn*.recaptcha.net.cnwidevine.cn*.widevine.cnampproject.org.cn*.ampproject.org.cnampproject.net.cn*.ampproject.net.cngoogle-analytics-cn.com*.google-analytics-cn.comgoogleadservices-cn.com*.googleadservices-cn.comgooglevads-cn.com*.googlevads-cn.comgoogleapis-cn.com*.googleapis-cn.comgoogleoptimize-cn.com*.googleoptimize-cn.comdoubleclick-cn.net*.doubleclick-cn.net*.fls.doubleclick-cn.net*.g.doubleclick-cn.netdoubleclick.cn*.doubleclick.cn*.fls.doubleclick.cn*.g.doubleclick.cndartsearch-cn.net*.dartsearch-cn.netgoogletraveladservices-cn.com*.googletraveladservices-cn.comgoogletagservices-cn.com*.googletagservices-cn.comgoogletagmanager-cn.com*.googletagmanager-cn.comgooglesyndication-cn.com*.googlesyndication-cn.com*.safeframe.googlesyndication-cn.comapp-measurement-cn.com*.app-measurement-cn.comgvt1-cn.com*.gvt1-cn.comgvt2-cn.com*.gvt2-cn.com2mdn-cn.net*.2mdn-cn.netgoogleflights-cn.net*.googleflights-cn.netadmob-cn.com*.admob-cn.com*.gstatic.com*.metric.gstatic.com*.gvt1.com*.gcpcdn.gvt1.com*.gvt2.com*.gcp.gvt2.com*.url.google.com*.youtube-nocookie.com*.ytimg.comandroid.com*.android.com*.flash.android.comg.cn*.g.cng.co*.g.cogoo.glwww.goo.glgoogle-analytics.com*.google-analytics.comgoogle.comgooglecommerce.com*.googlecommerce.comggpht.cn*.ggpht.cnurchin.com*.urchin.comyoutu.beyoutube.com*.youtube.comyoutubeeducation.com*.youtubeeducation.comyoutubekids.com*.youtubekids.comyt.be*.yt.beandroid.clients.google.comdeveloper.android.google.cndevelopers.android.google.cnsource.android.google.cn equals www.youtube.com (Youtube)
Source: unknown HTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.3:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.3:49765 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected AsyncRAT
Source: Yara match File source: 15.2.Synaptics.exe.4ebff6c.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46dff6c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.SYSTEM32.EXE.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45fff6c.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4c4d1c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cbff6c.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.33.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4c4d1c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.3fef190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4c4d1c.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4c4d1c.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.27.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.3e27d70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.46e7d70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cbff6c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cb40a4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.SYSTEM32.EXE.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.45da750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.33.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4c4d1c.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.40cf190.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45fff6c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.44fa750.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4c4d1c.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.3f07d70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4c4d1c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46d40a4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.46af190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45f40a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.44e7d70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46dff6c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4ebff6c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.48af190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4eb40a4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4dba750.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4320940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4bba750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.3c60940.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.3d40940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4520940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.558804825.0000000000DA2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.401049585.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.426967542.0000000000842000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.392435877.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.403770740.0000000000862000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.420990382.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.442628618.0000000000842000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.431447633.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.413670718.0000000000382000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.425456929.0000000000862000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.422157438.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.384287270.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.526679054.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.400361614.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.406913050.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.326093400.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.429485363.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.443173289.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.327639082.0000000000DA2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.401818941.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.395835615.0000000000382000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.329527934.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.316599175.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.392491539.0000000004159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.427064129.0000000004359000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.401697054.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: y8kdmHi6x3.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: y8kdmHi6x3.exe PID: 4844, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ._cache_y8kdmHi6x3.exe PID: 6232, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SYSTEM32.EXE PID: 6952, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 6964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 4928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 6632, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 5684, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 4964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 5976, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\Desktop\SYSTEM32.EXE, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\._cache_Synaptics.exe, type: DROPPED
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0043C1FC GetKeyboardState, 4_2_0043C1FC
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_004289FC GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader, 4_2_004289FC
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_00429040 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette, 4_2_00429040
Installs a raw input device (often for capturing keystrokes)
Source: ._cache_WINDOWS.EXE, 0000000B.00000002.562480973.00000000059E0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud
barindex
Yara detected Nanocore RAT
Source: Yara match File source: 11.0.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.584130.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.29.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.584130.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4dba750.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.59e0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.584130.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.46231f5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.584130.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.32.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.44fa750.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.29.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.3be31f5.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.584130.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cbff6c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.4619d96.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cb40a4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.461ebcc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.584130.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.3bd9d96.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.45da750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.33.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.584130.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45fff6c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.59e0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.44fa750.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.._cache_WINDOWS.EXE.4379d96.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.584130.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.584130.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.._cache_WINDOWS.EXE.43831f5.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.45da750.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.584130.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.59e4629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46d40a4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.32.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.461ebcc.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45f40a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4bba750.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46dff6c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4ebff6c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4eb40a4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4dba750.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4bba750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.380515314.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.406005434.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.401049585.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.349954370.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000000.430706138.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.562480973.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.412834234.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.415586772.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.392435877.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.420990382.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.356343368.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.439856260.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.431447633.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.561753594.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.329629304.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.460036376.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.441301976.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.439738650.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.417653653.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.381330192.00000000045D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.558823372.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.422157438.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.441431426.0000000003711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.384287270.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.526679054.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.400361614.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.400197509.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.334103669.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.376096056.0000000004331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.436004480.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.459917090.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.406913050.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.429485363.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.374769254.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.443173289.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.459034432.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.441940953.0000000004711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.401818941.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.440103209.0000000003F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.329527934.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.316599175.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.375988189.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.381281938.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.439646112.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.405483096.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: y8kdmHi6x3.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: y8kdmHi6x3.exe PID: 4844, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ._cache_y8kdmHi6x3.exe PID: 6232, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 6964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WINDOWS.EXE PID: 7016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ._cache_WINDOWS.EXE PID: 6580, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 4928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 6632, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ._cache_WINDOWS.EXE PID: 6692, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5244, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 5684, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 4964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 5976, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\Desktop\._cache_WINDOWS.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\WINDOWS.EXE, type: DROPPED
Source: Yara match File source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\._cache_Synaptics.exe, type: DROPPED

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 11.0.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.0.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.Synaptics.exe.584130.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.Synaptics.exe.584130.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.0.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.0.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.584130.29.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.584130.29.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.Synaptics.exe.584130.22.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Synaptics.exe.584130.22.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.Synaptics.exe.4dba750.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.Synaptics.exe.4dba750.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.._cache_WINDOWS.EXE.59e0000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.584130.17.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.584130.17.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.Synaptics.exe.584130.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.Synaptics.exe.584130.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.0.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.0.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.dhcpmon.exe.46231f5.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.Synaptics.exe.584130.22.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Synaptics.exe.584130.22.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.Synaptics.exe.584130.32.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.584130.32.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.._cache_WINDOWS.EXE.2ba178c.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.Synaptics.exe.4c4d1c.27.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.4c4d1c.27.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.y8kdmHi6x3.exe.44fa750.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.y8kdmHi6x3.exe.44fa750.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.dhcpmon.exe.35f3dc4.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.._cache_WINDOWS.EXE.3353bdc.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.Synaptics.exe.584130.29.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.584130.29.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.0.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.0.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.._cache_WINDOWS.EXE.3be31f5.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.y8kdmHi6x3.exe.584130.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.y8kdmHi6x3.exe.584130.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.0.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.0.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Synaptics.exe.4cbff6c.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Synaptics.exe.4cbff6c.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.dhcpmon.exe.4619d96.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dhcpmon.exe.4619d96.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Synaptics.exe.4cb40a4.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Synaptics.exe.4cb40a4.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.dhcpmon.exe.461ebcc.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.y8kdmHi6x3.exe.584130.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.y8kdmHi6x3.exe.584130.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.._cache_WINDOWS.EXE.3bd9d96.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.._cache_WINDOWS.EXE.3bd9d96.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.Synaptics.exe.45da750.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.Synaptics.exe.45da750.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.Synaptics.exe.4c4d1c.33.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.4c4d1c.33.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.y8kdmHi6x3.exe.584130.18.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.y8kdmHi6x3.exe.584130.18.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.Synaptics.exe.584130.17.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.584130.17.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.y8kdmHi6x3.exe.45fff6c.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.y8kdmHi6x3.exe.45fff6c.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.._cache_WINDOWS.EXE.4f70000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.._cache_WINDOWS.EXE.59e0000.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.y8kdmHi6x3.exe.44fa750.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.y8kdmHi6x3.exe.44fa750.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.._cache_WINDOWS.EXE.4379d96.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.._cache_WINDOWS.EXE.4379d96.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.y8kdmHi6x3.exe.584130.18.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.y8kdmHi6x3.exe.584130.18.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.y8kdmHi6x3.exe.584130.22.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.y8kdmHi6x3.exe.584130.22.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.._cache_WINDOWS.EXE.43831f5.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.Synaptics.exe.45da750.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.Synaptics.exe.45da750.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.2.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.y8kdmHi6x3.exe.584130.22.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.y8kdmHi6x3.exe.584130.22.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.._cache_WINDOWS.EXE.59e4629.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.Synaptics.exe.46d40a4.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.Synaptics.exe.46d40a4.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.Synaptics.exe.584130.32.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.584130.32.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.dhcpmon.exe.461ebcc.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.y8kdmHi6x3.exe.45f40a4.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.y8kdmHi6x3.exe.45f40a4.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Synaptics.exe.4bba750.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Synaptics.exe.4bba750.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.0.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.0.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.Synaptics.exe.4c4d1c.18.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.4c4d1c.18.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.Synaptics.exe.46dff6c.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.Synaptics.exe.46dff6c.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.Synaptics.exe.4ebff6c.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Synaptics.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.Synaptics.exe.4ebff6c.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.Synaptics.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.Synaptics.exe.4eb40a4.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.Synaptics.exe.4eb40a4.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.Synaptics.exe.4dba750.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.Synaptics.exe.4dba750.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Synaptics.exe.4bba750.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Synaptics.exe.4bba750.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.380515314.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.380515314.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001F.00000000.406005434.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001F.00000000.406005434.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.401049585.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.401049585.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000000.349954370.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000000.349954370.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000027.00000000.430706138.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000027.00000000.430706138.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.562480973.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.412834234.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001A.00000002.412834234.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000000.415586772.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000022.00000000.415586772.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000000.392435877.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000000.392435877.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000023.00000000.420990382.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000023.00000000.420990382.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000000.356343368.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000000.356343368.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000002.439856260.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000022.00000002.439856260.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000023.00000002.431447633.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000023.00000002.431447633.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.561753594.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000009.00000000.329629304.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000009.00000000.329629304.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000002.460036376.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000027.00000002.441301976.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000027.00000002.441301976.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000000.439738650.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000000.439738650.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001E.00000002.417653653.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001E.00000002.417653653.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.381330192.00000000045D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.558823372.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.558823372.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000002.422157438.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000017.00000002.422157438.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000002.441431426.0000000003711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000000.384287270.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000000.384287270.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.526679054.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.526679054.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000000.400361614.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000000.400361614.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000000.400197509.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001A.00000000.400197509.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000000.334103669.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000000.334103669.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.376096056.0000000004331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001F.00000002.436004480.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001F.00000002.436004480.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000002.459917090.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.406913050.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001B.00000002.406913050.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000000.429485363.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000000.429485363.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.374769254.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.374769254.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000000.443173289.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000000.443173289.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.562031611.0000000004F70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000002.459034432.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000002.459034432.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000002.441940953.0000000004711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.401818941.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.401818941.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001F.00000002.440103209.0000000003F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.329527934.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.329527934.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000000.316599175.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000000.316599175.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.375988189.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.381281938.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001F.00000002.439646112.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001E.00000000.405483096.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001E.00000000.405483096.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: y8kdmHi6x3.exe PID: 5268, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: y8kdmHi6x3.exe PID: 5268, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: y8kdmHi6x3.exe PID: 4844, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: y8kdmHi6x3.exe PID: 4844, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: ._cache_y8kdmHi6x3.exe PID: 6232, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: ._cache_y8kdmHi6x3.exe PID: 6232, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Synaptics.exe PID: 6964, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Synaptics.exe PID: 6964, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: WINDOWS.EXE PID: 7016, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: WINDOWS.EXE PID: 7016, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: ._cache_WINDOWS.EXE PID: 6580, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: ._cache_WINDOWS.EXE PID: 6580, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Synaptics.exe PID: 4928, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Synaptics.exe PID: 4928, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Synaptics.exe PID: 6632, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Synaptics.exe PID: 6632, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: ._cache_WINDOWS.EXE PID: 6692, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: ._cache_WINDOWS.EXE PID: 6692, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 5244, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 5244, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Synaptics.exe PID: 5684, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Synaptics.exe PID: 5684, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Synaptics.exe PID: 4964, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Synaptics.exe PID: 4964, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Synaptics.exe PID: 5976, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Synaptics.exe PID: 5976, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE, type: DROPPED Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE, type: DROPPED Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, type: DROPPED Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, type: DROPPED Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\Desktop\WINDOWS.EXE, type: DROPPED Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Users\user\Desktop\WINDOWS.EXE, type: DROPPED Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, type: DROPPED Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, type: DROPPED Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\Desktop\._cache_Synaptics.exe, type: DROPPED Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: C:\Users\user\Desktop\._cache_Synaptics.exe, type: DROPPED Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
One or more processes crash
Source: C:\ProgramData\Synaptics\Synaptics.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5684 -s 3668
Detected potential crypto function
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 0_2_00FCC0E4 0_2_00FCC0E4
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 0_2_00FCE530 0_2_00FCE530
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 0_2_00FCE520 0_2_00FCE520
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_004601F0 4_2_004601F0
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0046C7CC 4_2_0046C7CC
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0048C7F4 4_2_0048C7F4
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0044EA40 4_2_0044EA40
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_00496E18 4_2_00496E18
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0046B1E4 4_2_0046B1E4
Source: C:\Users\user\Desktop\SYSTEM32.EXE Code function: 7_2_00DA5FB9 7_2_00DA5FB9
Source: C:\ProgramData\Synaptics\Synaptics.exe Code function: 8_2_015DC0E4 8_2_015DC0E4
Source: C:\ProgramData\Synaptics\Synaptics.exe Code function: 8_2_015DE530 8_2_015DE530
Source: C:\ProgramData\Synaptics\Synaptics.exe Code function: 8_2_015DE520 8_2_015DE520
Source: C:\ProgramData\Synaptics\Synaptics.exe Code function: 8_2_05B0E6B8 8_2_05B0E6B8
Source: C:\ProgramData\Synaptics\Synaptics.exe Code function: 8_2_05B0C568 8_2_05B0C568
Source: C:\ProgramData\Synaptics\Synaptics.exe Code function: 8_2_05B02628 8_2_05B02628
Source: C:\ProgramData\Synaptics\Synaptics.exe Code function: 8_2_05B0B190 8_2_05B0B190
Source: C:\ProgramData\Synaptics\Synaptics.exe Code function: 8_2_05B02DB8 8_2_05B02DB8
Source: C:\ProgramData\Synaptics\Synaptics.exe Code function: 8_2_05B02DAB 8_2_05B02DAB
Source: C:\ProgramData\Synaptics\Synaptics.exe Code function: 8_2_05B0DBA0 8_2_05B0DBA0
Source: C:\ProgramData\Synaptics\Synaptics.exe Code function: 8_2_06061268 8_2_06061268
Source: C:\ProgramData\Synaptics\Synaptics.exe Code function: 8_2_06063B60 8_2_06063B60
Source: C:\ProgramData\Synaptics\Synaptics.exe Code function: 8_2_060633F0 8_2_060633F0
Source: C:\ProgramData\Synaptics\Synaptics.exe Code function: 8_2_06066F80 8_2_06066F80
Source: C:\ProgramData\Synaptics\Synaptics.exe Code function: 8_2_0606FB88 8_2_0606FB88
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_004601F0 9_2_004601F0
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_0046C7CC 9_2_0046C7CC
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_0048C7F4 9_2_0048C7F4
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_0044EA40 9_2_0044EA40
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_00496E18 9_2_00496E18
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_0046B1E4 9_2_0046B1E4
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_0045FCC8 9_2_0045FCC8
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_00453DA4 9_2_00453DA4
PE file contains strange resources
Source: WINDOWS.EXE.6.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Section loaded: starttiledata.dll Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Section loaded: starttiledata.dll Jump to behavior
Source: C:\Users\user\Desktop\WINDOWS.EXE Section loaded: starttiledata.dll Jump to behavior
Source: C:\Users\user\Desktop\WINDOWS.EXE Section loaded: starttiledata.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: starttiledata.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: starttiledata.dll
Uses 32bit PE files
Source: y8kdmHi6x3.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 11.0.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.0.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.Synaptics.exe.584130.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.Synaptics.exe.584130.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.Synaptics.exe.584130.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.0.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.0.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.0.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.0.Synaptics.exe.584130.29.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.584130.29.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.0.Synaptics.exe.584130.29.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.Synaptics.exe.584130.22.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Synaptics.exe.584130.22.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Synaptics.exe.584130.22.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.Synaptics.exe.4dba750.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.Synaptics.exe.4dba750.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.Synaptics.exe.4dba750.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.._cache_WINDOWS.EXE.59e0000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.._cache_WINDOWS.EXE.59e0000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.0.Synaptics.exe.584130.17.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.584130.17.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.0.Synaptics.exe.584130.17.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.Synaptics.exe.584130.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.Synaptics.exe.584130.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.Synaptics.exe.584130.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.0.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.0.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.0.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.dhcpmon.exe.46231f5.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dhcpmon.exe.46231f5.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 23.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.Synaptics.exe.584130.22.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Synaptics.exe.584130.22.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Synaptics.exe.584130.22.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.Synaptics.exe.584130.32.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.584130.32.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.0.Synaptics.exe.584130.32.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.._cache_WINDOWS.EXE.2ba178c.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.._cache_WINDOWS.EXE.2ba178c.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.Synaptics.exe.4c4d1c.27.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.4c4d1c.27.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.y8kdmHi6x3.exe.44fa750.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.y8kdmHi6x3.exe.44fa750.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.y8kdmHi6x3.exe.44fa750.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.dhcpmon.exe.35f3dc4.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dhcpmon.exe.35f3dc4.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.._cache_WINDOWS.EXE.3353bdc.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.._cache_WINDOWS.EXE.3353bdc.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.Synaptics.exe.584130.29.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.584130.29.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.0.Synaptics.exe.584130.29.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.0.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.0.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.0.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 23.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.._cache_WINDOWS.EXE.3be31f5.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.._cache_WINDOWS.EXE.3be31f5.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.y8kdmHi6x3.exe.584130.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.y8kdmHi6x3.exe.584130.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.y8kdmHi6x3.exe.584130.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.0.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.0.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.0.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 23.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 23.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.Synaptics.exe.4cbff6c.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Synaptics.exe.4cbff6c.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.dhcpmon.exe.4619d96.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dhcpmon.exe.4619d96.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.dhcpmon.exe.4619d96.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.Synaptics.exe.4cb40a4.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Synaptics.exe.4cb40a4.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 23.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.dhcpmon.exe.461ebcc.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dhcpmon.exe.461ebcc.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 23.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.y8kdmHi6x3.exe.584130.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.y8kdmHi6x3.exe.584130.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.y8kdmHi6x3.exe.584130.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.._cache_WINDOWS.EXE.3bd9d96.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.._cache_WINDOWS.EXE.3bd9d96.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.._cache_WINDOWS.EXE.3bd9d96.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.Synaptics.exe.45da750.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.Synaptics.exe.45da750.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.Synaptics.exe.4c4d1c.33.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.4c4d1c.33.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 23.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.y8kdmHi6x3.exe.584130.18.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.y8kdmHi6x3.exe.584130.18.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.y8kdmHi6x3.exe.584130.18.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.Synaptics.exe.584130.17.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.584130.17.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.0.Synaptics.exe.584130.17.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.y8kdmHi6x3.exe.45fff6c.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.y8kdmHi6x3.exe.45fff6c.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.._cache_WINDOWS.EXE.4f70000.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.._cache_WINDOWS.EXE.4f70000.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.._cache_WINDOWS.EXE.59e0000.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.._cache_WINDOWS.EXE.59e0000.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.y8kdmHi6x3.exe.44fa750.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.y8kdmHi6x3.exe.44fa750.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.._cache_WINDOWS.EXE.4379d96.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.._cache_WINDOWS.EXE.4379d96.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.._cache_WINDOWS.EXE.4379d96.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.y8kdmHi6x3.exe.584130.18.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.y8kdmHi6x3.exe.584130.18.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.y8kdmHi6x3.exe.584130.18.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 23.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.y8kdmHi6x3.exe.584130.22.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.y8kdmHi6x3.exe.584130.22.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.y8kdmHi6x3.exe.584130.22.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.._cache_WINDOWS.EXE.43831f5.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.._cache_WINDOWS.EXE.43831f5.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.Synaptics.exe.45da750.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.Synaptics.exe.45da750.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.Synaptics.exe.45da750.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.2.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.y8kdmHi6x3.exe.584130.22.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.y8kdmHi6x3.exe.584130.22.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.y8kdmHi6x3.exe.584130.22.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.._cache_WINDOWS.EXE.59e4629.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.._cache_WINDOWS.EXE.59e4629.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.Synaptics.exe.46d40a4.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.Synaptics.exe.46d40a4.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.Synaptics.exe.584130.32.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.584130.32.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.0.Synaptics.exe.584130.32.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.dhcpmon.exe.461ebcc.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dhcpmon.exe.461ebcc.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.2.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.2.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.y8kdmHi6x3.exe.45f40a4.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.y8kdmHi6x3.exe.45f40a4.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.Synaptics.exe.4bba750.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Synaptics.exe.4bba750.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.Synaptics.exe.4bba750.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 23.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 9.0.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 9.0.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.Synaptics.exe.4c4d1c.18.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.4c4d1c.18.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.Synaptics.exe.46dff6c.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 12.2.Synaptics.exe.46dff6c.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.Synaptics.exe.4ebff6c.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Synaptics.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.Synaptics.exe.4ebff6c.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.Synaptics.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.Synaptics.exe.4eb40a4.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.Synaptics.exe.4eb40a4.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.Synaptics.exe.4dba750.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.Synaptics.exe.4dba750.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.Synaptics.exe.4bba750.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Synaptics.exe.4bba750.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.380515314.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.380515314.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001F.00000000.406005434.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001F.00000000.406005434.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.401049585.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.401049585.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000000.349954370.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000000.349954370.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000027.00000000.430706138.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000027.00000000.430706138.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.562480973.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.562480973.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001A.00000002.412834234.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001A.00000002.412834234.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000022.00000000.415586772.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000022.00000000.415586772.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000000.392435877.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000000.392435877.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000023.00000000.420990382.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000023.00000000.420990382.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000000.356343368.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000000.356343368.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000022.00000002.439856260.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000022.00000002.439856260.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000023.00000002.431447633.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000023.00000002.431447633.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.561753594.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000009.00000000.329629304.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000009.00000000.329629304.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000028.00000002.460036376.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000027.00000002.441301976.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000027.00000002.441301976.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000028.00000000.439738650.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000000.439738650.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001E.00000002.417653653.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: String function: 0049058C appears 56 times
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: String function: 004109E8 appears 31 times
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: String function: 004049C0 appears 66 times
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: String function: 004070F0 appears 69 times
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: String function: 00404CCC appears 49 times
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: String function: 0049058C appears 56 times
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: String function: 004109E8 appears 34 times
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: String function: 004049C0 appears 76 times
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: String function: 004070F0 appears 81 times
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: String function: 00404CCC appears 54 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0043F118 NtdllDefWindowProc_A,GetCapture, 4_2_0043F118
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_004598AC NtdllDefWindowProc_A, 4_2_004598AC
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0045A054 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 4_2_0045A054
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0045A104 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 4_2_0045A104
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0045E9EC SHGetPathFromIDList,SHGetPathFromIDList,NtdllDefWindowProc_A, 4_2_0045E9EC
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0044EA40 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A, 4_2_0044EA40
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0042F60C NtdllDefWindowProc_A, 4_2_0042F60C
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_0043F118 NtdllDefWindowProc_A,GetCapture, 9_2_0043F118
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_004598AC NtdllDefWindowProc_A, 9_2_004598AC
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_0045A054 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 9_2_0045A054
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_0045A104 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 9_2_0045A104
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_0045E9EC SHGetPathFromIDList,SHGetPathFromIDList,NtdllDefWindowProc_A, 9_2_0045E9EC
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_0044EA40 GetSubMenu,SaveDC,RestoreDC,733AB080,SaveDC,RestoreDC,NtdllDefWindowProc_A, 9_2_0044EA40
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_0042F60C NtdllDefWindowProc_A, 9_2_0042F60C
PE file contains executable resources (Code or Archives)
Source: ._cache_y8kdmHi6x3.exe.4.dr Static PE information: Resource name: RBIND type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: ._cache_y8kdmHi6x3.exe.4.dr Static PE information: Resource name: RBIND type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: WINDOWS.EXE.6.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: WINDOWS.EXE.6.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Sample file is different than original file name gathered from version info
Source: y8kdmHi6x3.exe, 00000000.00000002.322526944.000000000077C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSkeet Swapper1.exe< vs y8kdmHi6x3.exe
Source: y8kdmHi6x3.exe, 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs y8kdmHi6x3.exe
Source: y8kdmHi6x3.exe, 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameb! vs y8kdmHi6x3.exe
Source: y8kdmHi6x3.exe, 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameStub.exe" vs y8kdmHi6x3.exe
Source: y8kdmHi6x3.exe Binary or memory string: OriginalFileName vs y8kdmHi6x3.exe
Source: y8kdmHi6x3.exe, 00000004.00000000.312757349.0000000000D8C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSkeet Swapper1.exe< vs y8kdmHi6x3.exe
Source: y8kdmHi6x3.exe, 00000004.00000000.317412867.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs y8kdmHi6x3.exe
Source: y8kdmHi6x3.exe, 00000004.00000003.328489668.0000000003030000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameb! vs y8kdmHi6x3.exe
Source: y8kdmHi6x3.exe, 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs y8kdmHi6x3.exe
Source: y8kdmHi6x3.exe, 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameStub.exe" vs y8kdmHi6x3.exe
Source: y8kdmHi6x3.exe, 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs y8kdmHi6x3.exe
Source: y8kdmHi6x3.exe, 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameb! vs y8kdmHi6x3.exe
Source: y8kdmHi6x3.exe, 00000004.00000000.310332438.0000000000400000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs y8kdmHi6x3.exe
Source: ._cache_y8kdmHi6x3.exe, 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp Binary or memory string: OriginalFilenameStub.exe" vs y8kdmHi6x3.exe
Source: ._cache_y8kdmHi6x3.exe, 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp Binary or memory string: OriginalFileName vs y8kdmHi6x3.exe
Source: ._cache_y8kdmHi6x3.exe, 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp Binary or memory string: OriginalFilenameb! vs y8kdmHi6x3.exe
Source: y8kdmHi6x3.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Synaptics.exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ._cache_WINDOWS.EXE.9.dr Static PE information: Section: .rsrc ZLIB complexity 0.995641331215
Source: y8kdmHi6x3.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\y8kdmHi6x3.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@47/38@27/5
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: 7.0.SYSTEM32.EXE.da0000.0.unpack, RXbHkqahxovcPAhX/DhyXMclpTuKggjB.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.SYSTEM32.EXE.da0000.0.unpack, RXbHkqahxovcPAhX/DhyXMclpTuKggjB.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: ._cache_WINDOWS.EXE.9.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: ._cache_WINDOWS.EXE.9.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.2.SYSTEM32.EXE.da0000.0.unpack, RXbHkqahxovcPAhX/DhyXMclpTuKggjB.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.2.SYSTEM32.EXE.da0000.0.unpack, RXbHkqahxovcPAhX/DhyXMclpTuKggjB.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: SYSTEM32.EXE.6.dr, RXbHkqahxovcPAhX/DhyXMclpTuKggjB.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: SYSTEM32.EXE.6.dr, RXbHkqahxovcPAhX/DhyXMclpTuKggjB.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_00425FB8 GetLastError,FormatMessageA, 9_2_00425FB8
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\WINDOWS.EXE Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Synaptics\Synaptics.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Synaptics\Synaptics.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_004747D8 FindResourceA, 4_2_004747D8
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE File created: C:\Program Files (x86)\DHCP Monitor
Source: y8kdmHi6x3.exe Virustotal: Detection: 57%
Source: y8kdmHi6x3.exe Metadefender: Detection: 48%
Source: y8kdmHi6x3.exe ReversingLabs: Detection: 81%
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe File read: C:\Users\user\Desktop\y8kdmHi6x3.exe Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\y8kdmHi6x3.exe "C:\Users\user\Desktop\y8kdmHi6x3.exe"
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process created: C:\Users\user\Desktop\y8kdmHi6x3.exe C:\Users\user\Desktop\y8kdmHi6x3.exe
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process created: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe "C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe"
Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe Process created: C:\Users\user\Desktop\SYSTEM32.EXE "C:\Users\user\Desktop\SYSTEM32.EXE"
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe Process created: C:\Users\user\Desktop\WINDOWS.EXE "C:\Users\user\Desktop\WINDOWS.EXE"
Source: C:\Users\user\Desktop\WINDOWS.EXE Process created: C:\Users\user\Desktop\._cache_WINDOWS.EXE "C:\Users\user\Desktop\._cache_WINDOWS.EXE"
Source: C:\Users\user\Desktop\WINDOWS.EXE Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp939D.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe"
Source: unknown Process created: C:\Users\user\Desktop\._cache_WINDOWS.EXE C:\Users\user\Desktop\._cache_WINDOWS.EXE 0
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp9EC9.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: C:\ProgramData\Synaptics\Synaptics.exe Process created: C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
Source: C:\ProgramData\Synaptics\Synaptics.exe Process created: C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
Source: C:\ProgramData\Synaptics\Synaptics.exe Process created: C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
Source: C:\ProgramData\Synaptics\Synaptics.exe Process created: C:\Users\user\Desktop\._cache_Synaptics.exe "C:\Users\user\Desktop\._cache_Synaptics.exe"
Source: C:\Users\user\Desktop\._cache_Synaptics.exe Process created: C:\Users\user\Desktop\SYSTEM32.EXE "C:\Users\user\Desktop\SYSTEM32.EXE"
Source: C:\Users\user\Desktop\._cache_Synaptics.exe Process created: C:\Users\user\Desktop\WINDOWS.EXE "C:\Users\user\Desktop\WINDOWS.EXE"
Source: C:\ProgramData\Synaptics\Synaptics.exe Process created: C:\Users\user\Desktop\._cache_Synaptics.exe "C:\Users\user\Desktop\._cache_Synaptics.exe"
Source: C:\Users\user\Desktop\._cache_Synaptics.exe Process created: C:\Users\user\Desktop\SYSTEM32.EXE "C:\Users\user\Desktop\SYSTEM32.EXE"
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
Source: C:\Users\user\Desktop\._cache_Synaptics.exe Process created: C:\Users\user\Desktop\WINDOWS.EXE "C:\Users\user\Desktop\WINDOWS.EXE"
Source: C:\Users\user\Desktop\WINDOWS.EXE Process created: C:\Users\user\Desktop\._cache_WINDOWS.EXE "C:\Users\user\Desktop\._cache_WINDOWS.EXE"
Source: C:\Users\user\Desktop\WINDOWS.EXE Process created: C:\Users\user\Desktop\._cache_WINDOWS.EXE "C:\Users\user\Desktop\._cache_WINDOWS.EXE"
Source: C:\ProgramData\Synaptics\Synaptics.exe Process created: C:\ProgramData\Synaptics\._cache_Synaptics.exe "C:\ProgramData\Synaptics\._cache_Synaptics.exe"
Source: C:\ProgramData\Synaptics\._cache_Synaptics.exe Process created: C:\ProgramData\Synaptics\SYSTEM32.EXE "C:\ProgramData\Synaptics\SYSTEM32.EXE"
Source: C:\ProgramData\Synaptics\._cache_Synaptics.exe Process created: C:\ProgramData\Synaptics\WINDOWS.EXE "C:\ProgramData\Synaptics\WINDOWS.EXE"
Source: C:\ProgramData\Synaptics\WINDOWS.EXE Process created: C:\ProgramData\Synaptics\._cache_WINDOWS.EXE "C:\ProgramData\Synaptics\._cache_WINDOWS.EXE"
Source: C:\ProgramData\Synaptics\Synaptics.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5684 -s 3668
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process created: C:\Users\user\Desktop\y8kdmHi6x3.exe C:\Users\user\Desktop\y8kdmHi6x3.exe Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process created: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe "C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe" Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate Jump to behavior
Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe Process created: C:\Users\user\Desktop\SYSTEM32.EXE "C:\Users\user\Desktop\SYSTEM32.EXE" Jump to behavior
Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe Process created: C:\Users\user\Desktop\WINDOWS.EXE "C:\Users\user\Desktop\WINDOWS.EXE" Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process created: C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe Jump to behavior
Source: C:\Users\user\Desktop\WINDOWS.EXE Process created: C:\Users\user\Desktop\._cache_WINDOWS.EXE "C:\Users\user\Desktop\._cache_WINDOWS.EXE" Jump to behavior
Source: C:\Users\user\Desktop\WINDOWS.EXE Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate Jump to behavior
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp939D.tmp
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp9EC9.tmp
Source: C:\ProgramData\Synaptics\Synaptics.exe Process created: C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
Source: C:\ProgramData\Synaptics\Synaptics.exe Process created: C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
Source: C:\ProgramData\Synaptics\Synaptics.exe Process created: C:\Users\user\Desktop\._cache_Synaptics.exe "C:\Users\user\Desktop\._cache_Synaptics.exe"
Source: C:\ProgramData\Synaptics\Synaptics.exe Process created: C:\Users\user\Desktop\._cache_Synaptics.exe "C:\Users\user\Desktop\._cache_Synaptics.exe"
Source: C:\ProgramData\Synaptics\Synaptics.exe Process created: C:\ProgramData\Synaptics\._cache_Synaptics.exe "C:\ProgramData\Synaptics\._cache_Synaptics.exe"
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_00475958 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetLastError,GetLastError, 9_2_00475958
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE File created: C:\Users\user\AppData\Local\Temp\tmp939D.tmp
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_00409ED2 GetDiskFreeSpaceA, 9_2_00409ED2
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\ProgramData\Synaptics\Synaptics.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: SYSTEM32.EXE.6.dr, eVWbregzvU/yvcwMXCsTRJU.cs Base64 encoded string: 'z9xGltPW7EJr7Obma2oXOASh9xniErtdTNs61HqZmL6NL1kFDpE0MqHXfa7iJBy2SMLuB078LTW63R6Rww7JSYs4H7NB36gLCETx3EEJqUI=', 'saZCTN1WrFbwK97NmSg4FH1GwOLlK+A5w11AihDDRfu49k51R7xWBWmU1Mq4QUxhvHORZKLskzfY+A7yGcKeWfHgRmX2rsErXgEHsCUo+w0/MokYFQemciUUL1D8PLSU', 'u10XwLOB7g3b3kogMME7PdxEwa7dzxfpmuW244T2hT/uoq0z0UvXkdhgyVg8Iyjq26jSQurV91JoSxLBxTIBlYA4qrd3JFvkWBVkliC1Vtg=', 'o9ZKCNLvJZMhUBCO+4xqv9MCCpknDwyKozD+7Bo3K77U3CfMy634ML0ZwdN98HlO3mAXpdp+35ImH5xvzVv1ejD/Lqs2YjfImOmDRaZEwRWajfYf8TFnHsMNaweJlvcY7pWE8voMkQmC4pmf0N/PsKPACjM/fjTghXtTCn01XNOkYecFGAQeIBkXp6I3mlBtfJXeFZ4Jv4bqsXIm8L1Bch+fMbKdzJ4W36To7qQChTNql3muGTyQaq/scahaZ8x/5G0YZ3ua5+4Ez2qYHvLfZIps0rAmsyIaa8Zz/hQQBG85g+kAWeEXuOTkfx2fXaShPon6F3zh42iJVTV8wYjl9wGXBNtuIelwSgDTqX8dAlusZrv2H7iSTI8egeQquuHEF9ZbmacQkTXHw5dZVoP1Xtw+WiaJIDf9QIYLxO+yKjQT0ZSocBgdx+xSqL+TU95nk0TII+RlM338p267aKe7dVx/Nbkswm0u/FaP9QbubrqU5CLm3PasKgWMamZLzc2tlGgRn04QRGMx01MCXg3l7xMe0JmvA1UzQD7HGUqDDUf+ZGrZZmDcPp0PfJbXvjrlVFhHYjmgESmzJhUs7He7VZ4WYoY7hg/JHKqp+Ud0dw7VC1wYeptesDepKbfR+g+hvy90rL0MlWesPt/6XajzNN50Qkn6WLFVxbl6URmHrKeTt6vrVgZaDaKeZGOcvQRJ2ErH1xSeRIBFrk3bihokXV22rqZvjzhrWt97O1saQRo9Ncct9bqI0yyFar4ZC1VOybvEbv82gqltOPQnhKZNymdtn+7jECRzDKVlQ4py7VCHIePNTIkxd7GSAfzuG5+t94dxSHIGowgqe1MdIFyGK0TOVS2iexEIPSqTOFhbEYzxmJu0W1tz1Fc/Sm/sZBZgs35+/jOT7w9F7JVRQVJO9bto6NJj9xBDq6P4uz3SV0Gw7dbj0lxMMxMSfyoIoUdyq/V6zx9gaUNxShDSe0iTlvCqhPrZtvhdl/k32UqsiN6h1JWoHiSh5XGmZoVMFJtjb9mmFackK2gvb25DKznvvrPbriETbl8MmliptMlBUXbuf7bJDHggDmfvo//H5FpsLNXHJciLAIWUjFbrFkc+tRD0VuxjlRUacbN2JorwF6SMBAQ5wfttkgfVW3KZGdVx3NecGZB3k8hTN7mS5Hk0Lh6DLJHyOhIPSswinPP7WcjXk5vNIZHe82wxA9Yw/H2WbAj20Eq/uk6ixeCPyUMzdKA8JmYbAjniAiPUpkJe2sc4/fHSDBhz83mfzdpfQGTR1CTZ3lUe+MNujd0jRMKmcomlPDQNkFHwT38jKi4t9Oblr6Nn2QJ9oikSRb9snRtUOL7txbmnlXcq+PGudgEJ04AXqh10z5VMQ+i+W4XBXe2ZuLXty4sTQn4G8pJJ/Xzn+pscF5VCDcJXq4sB30qpFAdUHypFb6tYYO6K3pw1qFFv5i5tHL/aq6u05bG2kbCAIbNbX5+OA804pR2SHRXrOHdcUNUXR9e2BpaXcUJLCEyGKOh+o/vGY/w2E1D4zZVYXttznUTvg342v1zkEqgiCJslEtbvQwxi0u9f34mwyUdlMt0KXEN+3dInQ/dBsQ8gt0B+wYaeMDYDBembbiQpQtP6Vn7GtgEJTMQVrE+28kgxPSRPffi1TokRyWQT11suxn0F3vWFkGqXyYNdA4VTWf/y08qJPy1AJ80i+GoXy766L2GsTHabx7rLQaxY1vXn5O5iRG3Rw52EDCLzd3CG7tsXLnXvhmUr16fOE7jw8Zg8N+h5gETLvG6ye/Y8rL3KiytBdraNk/9dkHJXfM6hBvy1V0SUUiV8SOoqB5jetRn6hraaLgIbSOb+9Yz303x+1m+Dfob/lDi+mDYnGtdbG5tpc/mDrvsQ0XUIJpuhXM5lJ1H52lRz7tzk7n4IUvGcQoA0ym924CxTEWqLNRvOoTnZih3cgsAPDcciI0PkP53Z41fTd/BBlfvDEJu4pKFsZsNO1ysjEs1fatbnX47X6yybtCGMyzpcU5AQUX8fv1ak/A3/Bnibzto2O0Lj6jJpVm3rw2mvhGdcAnPEGL7d9HlAVKM4/1mIvbRPKKtrTUv5oDmo/tRBn3vE9uAY957uPur34fxgK0bHkLk3H5uUF44F/hW33Zg4elRscSi6JdkbcwJmmCIeAtNNziPLTMdn8q4mWbuwrRzyP32sMdo+xNcd4LqsOusxjQ4jKGxRorlOMCrF0yf1CfG2AT6kmyewRqwhlnKST3UKFYbx03W51QYq7fH5SGtRjHPX/Lu7ncz118g1PpLjmisPIa6fMjKkW/WDQhXVwRlr04sKsVzRxNyEArUAgKzIAjXO5sTjZNY=', 'YxAJe8LaPOXNZYs02Grsh2szNvyn21jtgreiY2KMryZVusEzYe31de+ep9iJyxf8W1BrKgQb1YzrjmrN296mgoAPDH4IGH6zjKCAmfto94vsdrO6jAOg+F16ei+Pw+QeKv9i17sCv0J7lpk0+Me8UPHq1sD/XRjQox3hswEow9v/GbgLtrENyj7yafjjMHGmdovDUy35MnDavMrTXAX2THqRD1xEXFaPikxl2EM9rVpkhwUem/25600/9t13HTbWhIZqlVvfxhIW6G0mGFeAdTbGt4oDIbyG14l
Source: 7.0.SYSTEM32.EXE.da0000.0.unpack, eVWbregzvU/yvcwMXCsTRJU.cs Base64 encoded string: 'z9xGltPW7EJr7Obma2oXOASh9xniErtdTNs61HqZmL6NL1kFDpE0MqHXfa7iJBy2SMLuB078LTW63R6Rww7JSYs4H7NB36gLCETx3EEJqUI=', 'saZCTN1WrFbwK97NmSg4FH1GwOLlK+A5w11AihDDRfu49k51R7xWBWmU1Mq4QUxhvHORZKLskzfY+A7yGcKeWfHgRmX2rsErXgEHsCUo+w0/MokYFQemciUUL1D8PLSU', 'u10XwLOB7g3b3kogMME7PdxEwa7dzxfpmuW244T2hT/uoq0z0UvXkdhgyVg8Iyjq26jSQurV91JoSxLBxTIBlYA4qrd3JFvkWBVkliC1Vtg=', 'o9ZKCNLvJZMhUBCO+4xqv9MCCpknDwyKozD+7Bo3K77U3CfMy634ML0ZwdN98HlO3mAXpdp+35ImH5xvzVv1ejD/Lqs2YjfImOmDRaZEwRWajfYf8TFnHsMNaweJlvcY7pWE8voMkQmC4pmf0N/PsKPACjM/fjTghXtTCn01XNOkYecFGAQeIBkXp6I3mlBtfJXeFZ4Jv4bqsXIm8L1Bch+fMbKdzJ4W36To7qQChTNql3muGTyQaq/scahaZ8x/5G0YZ3ua5+4Ez2qYHvLfZIps0rAmsyIaa8Zz/hQQBG85g+kAWeEXuOTkfx2fXaShPon6F3zh42iJVTV8wYjl9wGXBNtuIelwSgDTqX8dAlusZrv2H7iSTI8egeQquuHEF9ZbmacQkTXHw5dZVoP1Xtw+WiaJIDf9QIYLxO+yKjQT0ZSocBgdx+xSqL+TU95nk0TII+RlM338p267aKe7dVx/Nbkswm0u/FaP9QbubrqU5CLm3PasKgWMamZLzc2tlGgRn04QRGMx01MCXg3l7xMe0JmvA1UzQD7HGUqDDUf+ZGrZZmDcPp0PfJbXvjrlVFhHYjmgESmzJhUs7He7VZ4WYoY7hg/JHKqp+Ud0dw7VC1wYeptesDepKbfR+g+hvy90rL0MlWesPt/6XajzNN50Qkn6WLFVxbl6URmHrKeTt6vrVgZaDaKeZGOcvQRJ2ErH1xSeRIBFrk3bihokXV22rqZvjzhrWt97O1saQRo9Ncct9bqI0yyFar4ZC1VOybvEbv82gqltOPQnhKZNymdtn+7jECRzDKVlQ4py7VCHIePNTIkxd7GSAfzuG5+t94dxSHIGowgqe1MdIFyGK0TOVS2iexEIPSqTOFhbEYzxmJu0W1tz1Fc/Sm/sZBZgs35+/jOT7w9F7JVRQVJO9bto6NJj9xBDq6P4uz3SV0Gw7dbj0lxMMxMSfyoIoUdyq/V6zx9gaUNxShDSe0iTlvCqhPrZtvhdl/k32UqsiN6h1JWoHiSh5XGmZoVMFJtjb9mmFackK2gvb25DKznvvrPbriETbl8MmliptMlBUXbuf7bJDHggDmfvo//H5FpsLNXHJciLAIWUjFbrFkc+tRD0VuxjlRUacbN2JorwF6SMBAQ5wfttkgfVW3KZGdVx3NecGZB3k8hTN7mS5Hk0Lh6DLJHyOhIPSswinPP7WcjXk5vNIZHe82wxA9Yw/H2WbAj20Eq/uk6ixeCPyUMzdKA8JmYbAjniAiPUpkJe2sc4/fHSDBhz83mfzdpfQGTR1CTZ3lUe+MNujd0jRMKmcomlPDQNkFHwT38jKi4t9Oblr6Nn2QJ9oikSRb9snRtUOL7txbmnlXcq+PGudgEJ04AXqh10z5VMQ+i+W4XBXe2ZuLXty4sTQn4G8pJJ/Xzn+pscF5VCDcJXq4sB30qpFAdUHypFb6tYYO6K3pw1qFFv5i5tHL/aq6u05bG2kbCAIbNbX5+OA804pR2SHRXrOHdcUNUXR9e2BpaXcUJLCEyGKOh+o/vGY/w2E1D4zZVYXttznUTvg342v1zkEqgiCJslEtbvQwxi0u9f34mwyUdlMt0KXEN+3dInQ/dBsQ8gt0B+wYaeMDYDBembbiQpQtP6Vn7GtgEJTMQVrE+28kgxPSRPffi1TokRyWQT11suxn0F3vWFkGqXyYNdA4VTWf/y08qJPy1AJ80i+GoXy766L2GsTHabx7rLQaxY1vXn5O5iRG3Rw52EDCLzd3CG7tsXLnXvhmUr16fOE7jw8Zg8N+h5gETLvG6ye/Y8rL3KiytBdraNk/9dkHJXfM6hBvy1V0SUUiV8SOoqB5jetRn6hraaLgIbSOb+9Yz303x+1m+Dfob/lDi+mDYnGtdbG5tpc/mDrvsQ0XUIJpuhXM5lJ1H52lRz7tzk7n4IUvGcQoA0ym924CxTEWqLNRvOoTnZih3cgsAPDcciI0PkP53Z41fTd/BBlfvDEJu4pKFsZsNO1ysjEs1fatbnX47X6yybtCGMyzpcU5AQUX8fv1ak/A3/Bnibzto2O0Lj6jJpVm3rw2mvhGdcAnPEGL7d9HlAVKM4/1mIvbRPKKtrTUv5oDmo/tRBn3vE9uAY957uPur34fxgK0bHkLk3H5uUF44F/hW33Zg4elRscSi6JdkbcwJmmCIeAtNNziPLTMdn8q4mWbuwrRzyP32sMdo+xNcd4LqsOusxjQ4jKGxRorlOMCrF0yf1CfG2AT6kmyewRqwhlnKST3UKFYbx03W51QYq7fH5SGtRjHPX/Lu7ncz118g1PpLjmisPIa6fMjKkW/WDQhXVwRlr04sKsVzRxNyEArUAgKzIAjXO5sTjZNY=', 'YxAJe8LaPOXNZYs02Grsh2szNvyn21jtgreiY2KMryZVusEzYe31de+ep9iJyxf8W1BrKgQb1YzrjmrN296mgoAPDH4IGH6zjKCAmfto94vsdrO6jAOg+F16ei+Pw+QeKv9i17sCv0J7lpk0+Me8UPHq1sD/XRjQox3hswEow9v/GbgLtrENyj7yafjjMHGmdovDUy35MnDavMrTXAX2THqRD1xEXFaPikxl2EM9rVpkhwUem/25600/9t13HTbWhIZqlVvfxhIW6G0mGFeAdTbGt4oDIbyG14l
Source: 7.2.SYSTEM32.EXE.da0000.0.unpack, eVWbregzvU/yvcwMXCsTRJU.cs Base64 encoded string: 'z9xGltPW7EJr7Obma2oXOASh9xniErtdTNs61HqZmL6NL1kFDpE0MqHXfa7iJBy2SMLuB078LTW63R6Rww7JSYs4H7NB36gLCETx3EEJqUI=', 'saZCTN1WrFbwK97NmSg4FH1GwOLlK+A5w11AihDDRfu49k51R7xWBWmU1Mq4QUxhvHORZKLskzfY+A7yGcKeWfHgRmX2rsErXgEHsCUo+w0/MokYFQemciUUL1D8PLSU', 'u10XwLOB7g3b3kogMME7PdxEwa7dzxfpmuW244T2hT/uoq0z0UvXkdhgyVg8Iyjq26jSQurV91JoSxLBxTIBlYA4qrd3JFvkWBVkliC1Vtg=', 'o9ZKCNLvJZMhUBCO+4xqv9MCCpknDwyKozD+7Bo3K77U3CfMy634ML0ZwdN98HlO3mAXpdp+35ImH5xvzVv1ejD/Lqs2YjfImOmDRaZEwRWajfYf8TFnHsMNaweJlvcY7pWE8voMkQmC4pmf0N/PsKPACjM/fjTghXtTCn01XNOkYecFGAQeIBkXp6I3mlBtfJXeFZ4Jv4bqsXIm8L1Bch+fMbKdzJ4W36To7qQChTNql3muGTyQaq/scahaZ8x/5G0YZ3ua5+4Ez2qYHvLfZIps0rAmsyIaa8Zz/hQQBG85g+kAWeEXuOTkfx2fXaShPon6F3zh42iJVTV8wYjl9wGXBNtuIelwSgDTqX8dAlusZrv2H7iSTI8egeQquuHEF9ZbmacQkTXHw5dZVoP1Xtw+WiaJIDf9QIYLxO+yKjQT0ZSocBgdx+xSqL+TU95nk0TII+RlM338p267aKe7dVx/Nbkswm0u/FaP9QbubrqU5CLm3PasKgWMamZLzc2tlGgRn04QRGMx01MCXg3l7xMe0JmvA1UzQD7HGUqDDUf+ZGrZZmDcPp0PfJbXvjrlVFhHYjmgESmzJhUs7He7VZ4WYoY7hg/JHKqp+Ud0dw7VC1wYeptesDepKbfR+g+hvy90rL0MlWesPt/6XajzNN50Qkn6WLFVxbl6URmHrKeTt6vrVgZaDaKeZGOcvQRJ2ErH1xSeRIBFrk3bihokXV22rqZvjzhrWt97O1saQRo9Ncct9bqI0yyFar4ZC1VOybvEbv82gqltOPQnhKZNymdtn+7jECRzDKVlQ4py7VCHIePNTIkxd7GSAfzuG5+t94dxSHIGowgqe1MdIFyGK0TOVS2iexEIPSqTOFhbEYzxmJu0W1tz1Fc/Sm/sZBZgs35+/jOT7w9F7JVRQVJO9bto6NJj9xBDq6P4uz3SV0Gw7dbj0lxMMxMSfyoIoUdyq/V6zx9gaUNxShDSe0iTlvCqhPrZtvhdl/k32UqsiN6h1JWoHiSh5XGmZoVMFJtjb9mmFackK2gvb25DKznvvrPbriETbl8MmliptMlBUXbuf7bJDHggDmfvo//H5FpsLNXHJciLAIWUjFbrFkc+tRD0VuxjlRUacbN2JorwF6SMBAQ5wfttkgfVW3KZGdVx3NecGZB3k8hTN7mS5Hk0Lh6DLJHyOhIPSswinPP7WcjXk5vNIZHe82wxA9Yw/H2WbAj20Eq/uk6ixeCPyUMzdKA8JmYbAjniAiPUpkJe2sc4/fHSDBhz83mfzdpfQGTR1CTZ3lUe+MNujd0jRMKmcomlPDQNkFHwT38jKi4t9Oblr6Nn2QJ9oikSRb9snRtUOL7txbmnlXcq+PGudgEJ04AXqh10z5VMQ+i+W4XBXe2ZuLXty4sTQn4G8pJJ/Xzn+pscF5VCDcJXq4sB30qpFAdUHypFb6tYYO6K3pw1qFFv5i5tHL/aq6u05bG2kbCAIbNbX5+OA804pR2SHRXrOHdcUNUXR9e2BpaXcUJLCEyGKOh+o/vGY/w2E1D4zZVYXttznUTvg342v1zkEqgiCJslEtbvQwxi0u9f34mwyUdlMt0KXEN+3dInQ/dBsQ8gt0B+wYaeMDYDBembbiQpQtP6Vn7GtgEJTMQVrE+28kgxPSRPffi1TokRyWQT11suxn0F3vWFkGqXyYNdA4VTWf/y08qJPy1AJ80i+GoXy766L2GsTHabx7rLQaxY1vXn5O5iRG3Rw52EDCLzd3CG7tsXLnXvhmUr16fOE7jw8Zg8N+h5gETLvG6ye/Y8rL3KiytBdraNk/9dkHJXfM6hBvy1V0SUUiV8SOoqB5jetRn6hraaLgIbSOb+9Yz303x+1m+Dfob/lDi+mDYnGtdbG5tpc/mDrvsQ0XUIJpuhXM5lJ1H52lRz7tzk7n4IUvGcQoA0ym924CxTEWqLNRvOoTnZih3cgsAPDcciI0PkP53Z41fTd/BBlfvDEJu4pKFsZsNO1ysjEs1fatbnX47X6yybtCGMyzpcU5AQUX8fv1ak/A3/Bnibzto2O0Lj6jJpVm3rw2mvhGdcAnPEGL7d9HlAVKM4/1mIvbRPKKtrTUv5oDmo/tRBn3vE9uAY957uPur34fxgK0bHkLk3H5uUF44F/hW33Zg4elRscSi6JdkbcwJmmCIeAtNNziPLTMdn8q4mWbuwrRzyP32sMdo+xNcd4LqsOusxjQ4jKGxRorlOMCrF0yf1CfG2AT6kmyewRqwhlnKST3UKFYbx03W51QYq7fH5SGtRjHPX/Lu7ncz118g1PpLjmisPIa6fMjKkW/WDQhXVwRlr04sKsVzRxNyEArUAgKzIAjXO5sTjZNY=', 'YxAJe8LaPOXNZYs02Grsh2szNvyn21jtgreiY2KMryZVusEzYe31de+ep9iJyxf8W1BrKgQb1YzrjmrN296mgoAPDH4IGH6zjKCAmfto94vsdrO6jAOg+F16ei+Pw+QeKv9i17sCv0J7lpk0+Me8UPHq1sD/XRjQox3hswEow9v/GbgLtrENyj7yafjjMHGmdovDUy35MnDavMrTXAX2THqRD1xEXFaPikxl2EM9rVpkhwUem/25600/9t13HTbWhIZqlVvfxhIW6G0mGFeAdTbGt4oDIbyG14l
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Mutant created: \Sessions\1\BaseNamedObjects\Global\{fd5fd13e-0f57-4bfb-84a4-034a7f99c7fe}
Source: C:\Users\user\Desktop\SYSTEM32.EXE Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\ProgramData\Synaptics\Synaptics.exe Mutant created: \Sessions\1\BaseNamedObjects\Synaptics2X
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4508:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6564:120:WilError_01
Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe Command line argument: shell32.dll 6_2_003C1320
Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe Command line argument: ShellExecuteA 6_2_003C1320
Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe Command line argument: RBIND 6_2_003C1320
Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe Command line argument: C< 6_2_003C4330
Source: C:\ProgramData\Synaptics\Synaptics.exe File written: C:\Users\user\AppData\Local\Temp\ohdSUNQ.ini
Source: Yara match File source: 20.0.Synaptics.exe.400000.31.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.26.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.3fef190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.3e27d70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.46e7d70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cbff6c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cb40a4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.45da750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.33.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.40cf190.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45fff6c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.44fa750.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.3f07d70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46d40a4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.46af190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45f40a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.44e7d70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46dff6c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4ebff6c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.48af190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4eb40a4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4dba750.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4320940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4bba750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.3c60940.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.3d40940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4520940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000000.329285707.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.401049585.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.386522455.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.317412867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.379982346.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.387756997.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000000.430371740.0000000000401000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.378011350.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.404954241.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.392515313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.442202940.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.314658286.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.392435877.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.420990382.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.396965179.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.389965974.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.386302469.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.401565081.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.431447633.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.390367257.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.399973811.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.313768043.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.441048593.0000000000401000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.381765881.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.380393313.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.422157438.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.388606290.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.384287270.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.329204353.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.312421482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.526679054.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.400361614.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.429244511.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.384393929.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.406913050.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.326093400.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.429485363.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.443173289.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.526573354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.383936753.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.401818941.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.310332438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.417274835.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.329527934.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.316599175.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.382689406.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.403730358.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.381548795.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.408854727.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.375965168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.392491539.0000000004159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.422072691.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.337852872.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.400267484.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.313014699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.387352587.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.427064129.0000000004359000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.382444300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.316511430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.401697054.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\WINDOWS.EXE, type: DROPPED
Source: Yara match File source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\._cache_Synaptics.exe, type: DROPPED
Source: y8kdmHi6x3.exe, Loader/Nyan.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.y8kdmHi6x3.exe.5b0000.0.unpack, Loader/Nyan.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.y8kdmHi6x3.exe.5b0000.0.unpack, Loader/Nyan.cs Cryptographic APIs: 'CreateDecryptor'
Source: Synaptics.exe.4.dr, Loader/Nyan.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.y8kdmHi6x3.exe.bc0000.2.unpack, Loader/Nyan.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.y8kdmHi6x3.exe.bc0000.13.unpack, Loader/Nyan.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.y8kdmHi6x3.exe.bc0000.25.unpack, Loader/Nyan.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.y8kdmHi6x3.exe.bc0000.0.unpack, Loader/Nyan.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.y8kdmHi6x3.exe.bc0000.15.unpack, Loader/Nyan.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.y8kdmHi6x3.exe.bc0000.5.unpack, Loader/Nyan.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.y8kdmHi6x3.exe.bc0000.1.unpack, Loader/Nyan.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Users\user\Desktop\SYSTEM32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\ProgramData\Synaptics\Synaptics.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\ProgramData\Synaptics\Synaptics.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\ProgramData\Synaptics\Synaptics.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\ProgramData\Synaptics\Synaptics.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\ProgramData\Synaptics\Synaptics.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: y8kdmHi6x3.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
Source: y8kdmHi6x3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: y8kdmHi6x3.exe Static file information: File size 2083328 > 1048576
Source: y8kdmHi6x3.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1c8600
Source: y8kdmHi6x3.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: y8kdmHi6x3.exe, 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, y8kdmHi6x3.exe, 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, ._cache_y8kdmHi6x3.exe, 00000006.00000000.323334149.00000000003C9000.00000002.00000001.01000000.00000005.sdmp, ._cache_y8kdmHi6x3.exe, 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmp, Synaptics.exe, 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Synaptics.exe, 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Synaptics.exe, 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: &C:\Users\DarkCoderSc\Desktop\Celesty Binder\Stub\STATIC\Stub.pdb source: y8kdmHi6x3.exe, 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, y8kdmHi6x3.exe, 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, ._cache_y8kdmHi6x3.exe, 00000006.00000000.323334149.00000000003C9000.00000002.00000001.01000000.00000005.sdmp, ._cache_y8kdmHi6x3.exe, 00000006.00000002.330463790.00000000003C9000.00000002.00000001.01000000.00000005.sdmp, Synaptics.exe, 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Synaptics.exe, 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Synaptics.exe, 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: y8kdmHi6x3.exe, Loader/Nyan.cs .Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.y8kdmHi6x3.exe.5b0000.0.unpack, Loader/Nyan.cs .Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.y8kdmHi6x3.exe.5b0000.0.unpack, Loader/Nyan.cs .Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: Synaptics.exe.4.dr, Loader/Nyan.cs .Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.y8kdmHi6x3.exe.bc0000.2.unpack, Loader/Nyan.cs .Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.y8kdmHi6x3.exe.bc0000.13.unpack, Loader/Nyan.cs .Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.y8kdmHi6x3.exe.bc0000.25.unpack, Loader/Nyan.cs .Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.y8kdmHi6x3.exe.bc0000.0.unpack, Loader/Nyan.cs .Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.y8kdmHi6x3.exe.bc0000.15.unpack, Loader/Nyan.cs .Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.y8kdmHi6x3.exe.bc0000.5.unpack, Loader/Nyan.cs .Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.y8kdmHi6x3.exe.bc0000.1.unpack, Loader/Nyan.cs .Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.y8kdmHi6x3.exe.bc0000.3.unpack, Loader/Nyan.cs .Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.y8kdmHi6x3.exe.bc0000.20.unpack, Loader/Nyan.cs .Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.y8kdmHi6x3.exe.bc0000.9.unpack, Loader/Nyan.cs .Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.y8kdmHi6x3.exe.bc0000.11.unpack, Loader/Nyan.cs .Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.2.y8kdmHi6x3.exe.bc0000.4.unpack, Loader/Nyan.cs .Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.y8kdmHi6x3.exe.bc0000.7.unpack, Loader/Nyan.cs .Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: SYSTEM32.EXE.6.dr, mFomRpTnURes/BEzzbvoTDpsx.cs .Net Code: ZfRHHqObaOVxIv System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.0.SYSTEM32.EXE.da0000.0.unpack, mFomRpTnURes/BEzzbvoTDpsx.cs .Net Code: ZfRHHqObaOVxIv System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.2.SYSTEM32.EXE.da0000.0.unpack, mFomRpTnURes/BEzzbvoTDpsx.cs .Net Code: ZfRHHqObaOVxIv System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 8.0.Synaptics.exe.bc0000.0.unpack, Loader/Nyan.cs .Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 8.2.Synaptics.exe.bc0000.0.unpack, Loader/Nyan.cs .Net Code: Initialize System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: ._cache_WINDOWS.EXE.9.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: ._cache_WINDOWS.EXE.9.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 0_2_00FCF9C4 push 8402A7CFh; iretd 0_2_00FCF9C9
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 0_2_00FCFB60 pushfd ; iretd 0_2_00FCFB61
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_00446564 push 004465F1h; ret 4_2_004465E9
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_00406B3C push 00406B8Dh; ret 4_2_00406B85
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_00478CB0 push 00478D2Dh; ret 4_2_00478D25
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_00422044 push ecx; mov dword ptr [esp], edx 4_2_00422049
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0042E010 push 0042E03Ch; ret 4_2_0042E034
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0046C0B0 push ecx; mov dword ptr [esp], eax 4_2_0046C0B2
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_004761F8 push 0047623Bh; ret 4_2_00476233
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0049419C push 004941CFh; ret 4_2_004941C7
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0042E1BC push 0042E1E8h; ret 4_2_0042E1E0
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_00480210 push 0048023Ch; ret 4_2_00480234
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_004842DC push 00484308h; ret 4_2_00484300
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0048036C push 00480398h; ret 4_2_00480390
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0042C3D0 push 0042C3FCh; ret 4_2_0042C3F4
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_00432468 push 004324B4h; ret 4_2_004324AC
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_00486408 push 004864ADh; ret 4_2_004864A5
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0047C404 push 0047C430h; ret 4_2_0047C428
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_00432404 push 00432447h; ret 4_2_0043243F
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_004324C0 push 0043250Bh; ret 4_2_00432503
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0042C4C4 push 0042C4F0h; ret 4_2_0042C4E8
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_004464FC push 00446562h; ret 4_2_0044655A
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_00490554 push 00490580h; ret 4_2_00490578
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0047A514 push 0047A540h; ret 4_2_0047A538
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_00432518 push 00432544h; ret 4_2_0043253C
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_00496530 push 00496586h; ret 4_2_0049657E
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0048859C push 004885DEh; ret 4_2_004885D6
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_00432650 push 004326C6h; ret 4_2_004326BE
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0049A6BC push 0049A745h; ret 4_2_0049A73D
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_00480744 push 00480770h; ret 4_2_00480768
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0049A750 push 0049A776h; ret 4_2_0049A76E
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_004730FC LoadLibraryA,GetProcAddress,SHGetSpecialFolderLocation,SHGetPathFromIDList,SHGetSpecialFolderLocation,SHGetPathFromIDList, 4_2_004730FC
PE file contains an invalid checksum
Source: WINDOWS.EXE.6.dr Static PE information: real checksum: 0x0 should be: 0xff011
Source: y8kdmHi6x3.exe Static PE information: real checksum: 0x0 should be: 0x2013d1
Source: Synaptics.exe.4.dr Static PE information: real checksum: 0x0 should be: 0x2013d1
Source: SYSTEM32.EXE.6.dr Static PE information: real checksum: 0x0 should be: 0x10e22
Source: ._cache_WINDOWS.EXE.9.dr Static PE information: real checksum: 0x0 should be: 0x38554
Source: ._cache_y8kdmHi6x3.exe.4.dr Static PE information: real checksum: 0x1c288 should be: 0x11595d
Source: initial sample Static PE information: section name: .text entropy: 7.99980395725
Source: initial sample Static PE information: section name: .text entropy: 7.99980395725
Source: ._cache_WINDOWS.EXE.9.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: ._cache_WINDOWS.EXE.9.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior
barindex
Drops PE files to the document folder of the user
Source: C:\ProgramData\Synaptics\Synaptics.exe File created: C:\Users\user\Documents\BNAGMGSPLO\~$cache1 Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe File created: C:\ProgramData\Synaptics\Synaptics.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\ProgramData\Synaptics\Synaptics.exe File created: C:\Users\user\Documents\BNAGMGSPLO\~$cache1 Jump to dropped file
Drops PE files
Source: C:\ProgramData\Synaptics\Synaptics.exe File created: C:\Users\user\AppData\Local\Temp\yi1yMTqS.exe Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe File created: C:\Users\user\AppData\Local\Temp\RCX831F.tmp Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe File created: C:\Users\user\Documents\BNAGMGSPLO\~$cache1 Jump to dropped file
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe File created: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe File created: C:\Users\user\Desktop\y8kdmHi6x3.exe Jump to dropped file
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe File created: C:\ProgramData\Synaptics\Synaptics.exe Jump to dropped file
Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe File created: C:\Users\user\Desktop\WINDOWS.EXE Jump to dropped file
Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe File created: C:\Users\user\Desktop\SYSTEM32.EXE Jump to dropped file
Source: C:\Users\user\Desktop\WINDOWS.EXE File created: C:\Users\user\Desktop\._cache_WINDOWS.EXE Jump to dropped file
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe File created: C:\Users\user\AppData\Local\Temp\RCX788E.tmp Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe File created: C:\Users\user\Desktop\._cache_Synaptics.exe Jump to dropped file

Boot Survival
barindex
Yara detected AsyncRAT
Source: Yara match File source: 15.2.Synaptics.exe.4ebff6c.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46dff6c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.SYSTEM32.EXE.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45fff6c.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4c4d1c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cbff6c.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.33.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4c4d1c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.3fef190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4c4d1c.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4c4d1c.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.27.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.3e27d70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.46e7d70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cbff6c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cb40a4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.SYSTEM32.EXE.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.45da750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.33.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4c4d1c.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.40cf190.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45fff6c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.44fa750.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4c4d1c.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.3f07d70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4c4d1c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46d40a4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.46af190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45f40a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.44e7d70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46dff6c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4ebff6c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.48af190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4eb40a4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4dba750.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4320940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4bba750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.3c60940.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.3d40940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4520940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.558804825.0000000000DA2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.401049585.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.426967542.0000000000842000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.392435877.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.403770740.0000000000862000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.420990382.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.442628618.0000000000842000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.431447633.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.413670718.0000000000382000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.425456929.0000000000862000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.422157438.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.384287270.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.526679054.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.400361614.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.406913050.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.326093400.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.429485363.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.443173289.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.327639082.0000000000DA2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.401818941.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.395835615.0000000000382000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.329527934.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.316599175.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.392491539.0000000004159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.427064129.0000000004359000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.401697054.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: y8kdmHi6x3.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: y8kdmHi6x3.exe PID: 4844, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ._cache_y8kdmHi6x3.exe PID: 6232, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SYSTEM32.EXE PID: 6952, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 6964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 4928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 6632, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 5684, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 4964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 5976, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\Desktop\SYSTEM32.EXE, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\._cache_Synaptics.exe, type: DROPPED
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp939D.tmp

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE File opened: C:\Users\user\Desktop\._cache_WINDOWS.EXE:Zone.Identifier read attributes | delete
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_00459934 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 4_2_00459934
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0045A054 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 4_2_0045A054
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0045A104 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 4_2_0045A104
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0042C6FC IsIconic,GetWindowPlacement,GetWindowRect, 4_2_0042C6FC
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0044083C IsIconic,GetCapture, 4_2_0044083C
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0045695C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 4_2_0045695C
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_004410F0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 4_2_004410F0
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_00459934 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 9_2_00459934
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_0045A054 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 9_2_0045A054
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_0045A104 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 9_2_0045A104
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_0042C6FC IsIconic,GetWindowPlacement,GetWindowRect, 9_2_0042C6FC
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_0044083C IsIconic,GetCapture, 9_2_0044083C
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_0045695C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 9_2_0045695C
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_004410F0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 9_2_004410F0
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_00441A14 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 9_2_00441A14
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0042E3B4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 4_2_0042E3B4
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WINDOWS.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Synaptics\Synaptics.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AsyncRAT
Source: Yara match File source: 15.2.Synaptics.exe.4ebff6c.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46dff6c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.SYSTEM32.EXE.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45fff6c.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4c4d1c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cbff6c.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.33.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4c4d1c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.3fef190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4c4d1c.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4c4d1c.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.27.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.3e27d70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.46e7d70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cbff6c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cb40a4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.SYSTEM32.EXE.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.45da750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.33.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4c4d1c.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.40cf190.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45fff6c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.44fa750.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4c4d1c.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.3f07d70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4c4d1c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46d40a4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.46af190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45f40a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.44e7d70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46dff6c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4ebff6c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.48af190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4eb40a4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4dba750.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4320940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4bba750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.3c60940.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.3d40940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4520940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.558804825.0000000000DA2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.401049585.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.426967542.0000000000842000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.392435877.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.403770740.0000000000862000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.420990382.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.442628618.0000000000842000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.431447633.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.413670718.0000000000382000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.425456929.0000000000862000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.422157438.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.384287270.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.526679054.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.400361614.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.406913050.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.326093400.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.429485363.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.443173289.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.327639082.0000000000DA2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.401818941.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.395835615.0000000000382000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.329527934.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.316599175.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.392491539.0000000004159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.427064129.0000000004359000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.401697054.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: y8kdmHi6x3.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: y8kdmHi6x3.exe PID: 4844, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ._cache_y8kdmHi6x3.exe PID: 6232, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SYSTEM32.EXE PID: 6952, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 6964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 4928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 6632, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 5684, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 4964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 5976, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\Desktop\SYSTEM32.EXE, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\._cache_Synaptics.exe, type: DROPPED
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: y8kdmHi6x3.exe, 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, y8kdmHi6x3.exe, 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, ._cache_y8kdmHi6x3.exe, 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, SYSTEM32.EXE, SYSTEM32.EXE, 00000007.00000002.558804825.0000000000DA2000.00000002.00000001.01000000.00000006.sdmp, Synaptics.exe, 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Synaptics.exe, 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, Synaptics.exe, 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_00435BD4 9_2_00435BD4
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe TID: 6452 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE TID: 6960 Thread sleep time: -75000s >= -30000s Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 7084 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE TID: 5248 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE TID: 5344 Thread sleep time: -40000s >= -30000s
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE TID: 4940 Thread sleep time: -240000s >= -30000s
Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 1740 Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 7092 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE TID: 2824 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6388 Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 4588 Thread sleep time: -480000s >= -30000s
Source: C:\ProgramData\Synaptics\Synaptics.exe TID: 4292 Thread sleep time: -60000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\SYSTEM32.EXE Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Synaptics\Synaptics.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Synaptics\Synaptics.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Window / User API: foregroundWindowGot 710
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe API coverage: 8.2 %
Source: C:\Users\user\Desktop\WINDOWS.EXE API coverage: 7.7 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_00435BD4 9_2_00435BD4
Found dropped PE file which has not been started or loaded
Source: C:\ProgramData\Synaptics\Synaptics.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RCX831F.tmp Jump to dropped file
Source: C:\ProgramData\Synaptics\Synaptics.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RCX788E.tmp Jump to dropped file
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 4_2_00458EA4
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 9_2_00458EA4
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Synaptics\Synaptics.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Synaptics\Synaptics.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Synaptics\Synaptics.exe Thread delayed: delay time: 60000
Source: C:\ProgramData\Synaptics\Synaptics.exe Thread delayed: delay time: 60000
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer Jump to behavior
Source: ._cache_WINDOWS.EXE, 0000000B.00000002.560111317.0000000000C45000.00000004.00000020.00020000.00000000.sdmp, ._cache_WINDOWS.EXE, 0000000B.00000003.367194735.0000000000C45000.00000004.00000020.00020000.00000000.sdmp, ._cache_WINDOWS.EXE, 0000000B.00000003.522432696.0000000000C45000.00000004.00000020.00020000.00000000.sdmp, ._cache_WINDOWS.EXE, 0000000B.00000003.517789046.0000000000C45000.00000004.00000020.00020000.00000000.sdmp, ._cache_WINDOWS.EXE, 0000000B.00000003.468815421.0000000000C45000.00000004.00000020.00020000.00000000.sdmp, ._cache_WINDOWS.EXE, 0000000B.00000003.430401552.0000000000C45000.00000004.00000020.00020000.00000000.sdmp, ._cache_WINDOWS.EXE, 0000000B.00000003.477896338.0000000000C45000.00000004.00000020.00020000.00000000.sdmp, ._cache_WINDOWS.EXE, 0000000B.00000003.377858654.0000000000C45000.00000004.00000020.00020000.00000000.sdmp, ._cache_WINDOWS.EXE, 0000000B.00000003.462811842.0000000000C45000.00000004.00000020.00020000.00000000.sdmp, ._cache_WINDOWS.EXE, 0000000B.00000003.430006882.0000000000C45000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
Source: Synaptics.exe, 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: vmware
Source: Synaptics.exe, 00000014.00000000.445482616.0000000001344000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWthernet (Kernel Debugger)
Source: Synaptics.exe, 00000014.00000002.527672867.000000000131A000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000000.445521373.000000000135F000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000014.00000002.527570253.00000000012C9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process information queried: ProcessInformation
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_00426548 GetSystemInfo, 4_2_00426548
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_004099E0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 4_2_004099E0
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_00406018 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 4_2_00406018
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_004099E0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 9_2_004099E0
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_00406018 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 9_2_00406018
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: 9_2_00409B1C FindFirstFileA,GetLastError, 9_2_00409B1C
Source: C:\Users\user\Desktop\SYSTEM32.EXE File Volume queried: C:\ FullSizeInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_004730FC LoadLibraryA,GetProcAddress,SHGetSpecialFolderLocation,SHGetPathFromIDList,SHGetSpecialFolderLocation,SHGetPathFromIDList, 4_2_004730FC
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe Code function: 6_2_003C2701 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_003C2701
Enables debug privileges
Source: C:\Users\user\Desktop\SYSTEM32.EXE Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process token adjusted: Debug
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe Code function: 6_2_003C2701 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_003C2701
Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe Code function: 6_2_003C4991 SetUnhandledExceptionFilter, 6_2_003C4991
Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe Code function: 6_2_003C3BEC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_003C3BEC

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\ProgramData\Synaptics\Synaptics.exe Memory written: C:\ProgramData\Synaptics\Synaptics.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Memory written: C:\ProgramData\Synaptics\Synaptics.exe base: 400000 value starts with: 4D5A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process created: C:\Users\user\Desktop\y8kdmHi6x3.exe C:\Users\user\Desktop\y8kdmHi6x3.exe Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process created: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe "C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe" Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate Jump to behavior
Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe Process created: C:\Users\user\Desktop\SYSTEM32.EXE "C:\Users\user\Desktop\SYSTEM32.EXE" Jump to behavior
Source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe Process created: C:\Users\user\Desktop\WINDOWS.EXE "C:\Users\user\Desktop\WINDOWS.EXE" Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Process created: C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe Jump to behavior
Source: C:\Users\user\Desktop\WINDOWS.EXE Process created: C:\Users\user\Desktop\._cache_WINDOWS.EXE "C:\Users\user\Desktop\._cache_WINDOWS.EXE" Jump to behavior
Source: C:\Users\user\Desktop\WINDOWS.EXE Process created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate Jump to behavior
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp939D.tmp
Source: C:\Users\user\Desktop\._cache_WINDOWS.EXE Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp9EC9.tmp
Source: C:\ProgramData\Synaptics\Synaptics.exe Process created: C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
Source: C:\ProgramData\Synaptics\Synaptics.exe Process created: C:\ProgramData\Synaptics\Synaptics.exe C:\ProgramData\Synaptics\Synaptics.exe
Source: C:\ProgramData\Synaptics\Synaptics.exe Process created: C:\Users\user\Desktop\._cache_Synaptics.exe "C:\Users\user\Desktop\._cache_Synaptics.exe"
Source: C:\ProgramData\Synaptics\Synaptics.exe Process created: C:\Users\user\Desktop\._cache_Synaptics.exe "C:\Users\user\Desktop\._cache_Synaptics.exe"
Source: C:\ProgramData\Synaptics\Synaptics.exe Process created: C:\ProgramData\Synaptics\._cache_Synaptics.exe "C:\ProgramData\Synaptics\._cache_Synaptics.exe"
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_00473490 ShellExecuteEx,Sleep,WaitForSingleObject, 4_2_00473490
Source: ._cache_WINDOWS.EXE, 0000000B.00000003.539533200.0000000000C23000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerection was forcibly closed by the remote host.

Language, Device and Operating System Detection
barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 4_2_004061D0
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: GetLocaleInfoA,GetACP, 4_2_0040E088
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 4_2_004062DC
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: GetLocaleInfoA, 4_2_0040C964
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: GetLocaleInfoA, 4_2_0040C9B0
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: GetLocaleInfoA, 4_2_00406AC6
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: GetLocaleInfoA, 4_2_00406AC8
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 9_2_004061D0
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: GetLocaleInfoA,GetACP, 9_2_0040E088
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 9_2_004062DC
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: GetLocaleInfoA, 9_2_0040C964
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: GetLocaleInfoA, 9_2_0040C9B0
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: GetLocaleInfoA, 9_2_00406AC6
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: GetLocaleInfoA, 9_2_00406AC8
Queries the installation date of Windows
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Queries volume information: C:\Users\user\Desktop\y8kdmHi6x3.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SYSTEM32.EXE Queries volume information: C:\Users\user\Desktop\SYSTEM32.EXE VolumeInformation Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Queries volume information: C:\ProgramData\Synaptics\Synaptics.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\Synaptics\Synaptics.exe Queries volume information: C:\ProgramData\Synaptics\Synaptics.exe VolumeInformation
Source: C:\ProgramData\Synaptics\Synaptics.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\Synaptics\Synaptics.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\ProgramData\Synaptics\Synaptics.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\ProgramData\Synaptics\Synaptics.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\ProgramData\Synaptics\Synaptics.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\ProgramData\Synaptics\Synaptics.exe Queries volume information: C:\ProgramData\Synaptics\Synaptics.exe VolumeInformation
Source: C:\ProgramData\Synaptics\Synaptics.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\Synaptics\Synaptics.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\ProgramData\Synaptics\Synaptics.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\ProgramData\Synaptics\Synaptics.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\ProgramData\Synaptics\Synaptics.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0040B2D4 GetLocalTime, 4_2_0040B2D4
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_0047E020 GetTimeZoneInformation, 4_2_0047E020
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_00472E58 GetUserNameA, 4_2_00472E58
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: 4_2_00446564 GetVersion, 4_2_00446564

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Yara detected AsyncRAT
Source: Yara match File source: 15.2.Synaptics.exe.4ebff6c.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46dff6c.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.SYSTEM32.EXE.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45fff6c.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4c4d1c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cbff6c.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.33.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4c4d1c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.3fef190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4c4d1c.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4c4d1c.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.27.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.3e27d70.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.46e7d70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cbff6c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cb40a4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.SYSTEM32.EXE.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.45da750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.33.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4c4d1c.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.40cf190.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45fff6c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.44fa750.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4c4d1c.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.3f07d70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4c4d1c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46d40a4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.46af190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45f40a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.44e7d70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46dff6c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4ebff6c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.48af190.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4eb40a4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4dba750.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4320940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4bba750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.3c60940.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.3d40940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4520940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.558804825.0000000000DA2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.401049585.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.426967542.0000000000842000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.392435877.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.403770740.0000000000862000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.420990382.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.442628618.0000000000842000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.431447633.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.413670718.0000000000382000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.425456929.0000000000862000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.422157438.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.384287270.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.526679054.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.400361614.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.406913050.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.326093400.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.429485363.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.443173289.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.327639082.0000000000DA2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.401818941.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.395835615.0000000000382000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.329527934.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.316599175.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.392491539.0000000004159000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.427064129.0000000004359000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.401697054.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: y8kdmHi6x3.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: y8kdmHi6x3.exe PID: 4844, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ._cache_y8kdmHi6x3.exe PID: 6232, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SYSTEM32.EXE PID: 6952, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 6964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 4928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 6632, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 5684, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 4964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 5976, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\Desktop\SYSTEM32.EXE, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, type: DROPPED
Source: Yara match File source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\._cache_Synaptics.exe, type: DROPPED

Stealing of Sensitive Information
barindex
Yara detected Nanocore RAT
Source: Yara match File source: 11.0.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.584130.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.29.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.584130.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4dba750.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.59e0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.584130.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.46231f5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.584130.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.32.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.44fa750.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.29.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.3be31f5.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.584130.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cbff6c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.4619d96.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cb40a4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.461ebcc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.584130.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.3bd9d96.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.45da750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.33.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.584130.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45fff6c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.59e0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.44fa750.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.._cache_WINDOWS.EXE.4379d96.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.584130.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.584130.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.._cache_WINDOWS.EXE.43831f5.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.45da750.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.584130.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.59e4629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46d40a4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.32.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.461ebcc.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45f40a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4bba750.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46dff6c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4ebff6c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4eb40a4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4dba750.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4bba750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.380515314.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.406005434.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.401049585.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.349954370.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000000.430706138.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.562480973.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.412834234.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.415586772.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.392435877.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.420990382.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.356343368.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.439856260.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.431447633.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.561753594.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.329629304.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.460036376.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.441301976.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.439738650.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.417653653.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.381330192.00000000045D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.558823372.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.422157438.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.441431426.0000000003711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.384287270.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.526679054.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.400361614.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.400197509.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.334103669.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.376096056.0000000004331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.436004480.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.459917090.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.406913050.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.429485363.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.374769254.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.443173289.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.459034432.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.441940953.0000000004711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.401818941.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.440103209.0000000003F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.329527934.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.316599175.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.375988189.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.381281938.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.439646112.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.405483096.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: y8kdmHi6x3.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: y8kdmHi6x3.exe PID: 4844, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ._cache_y8kdmHi6x3.exe PID: 6232, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 6964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WINDOWS.EXE PID: 7016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ._cache_WINDOWS.EXE PID: 6580, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 4928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 6632, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ._cache_WINDOWS.EXE PID: 6692, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5244, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 5684, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 4964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 5976, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\Desktop\._cache_WINDOWS.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\WINDOWS.EXE, type: DROPPED
Source: Yara match File source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\._cache_Synaptics.exe, type: DROPPED

Remote Access Functionality
barindex
Detected Nanocore Rat
Source: y8kdmHi6x3.exe, 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: y8kdmHi6x3.exe, 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ._cache_y8kdmHi6x3.exe, 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: Synaptics.exe, 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: WINDOWS.EXE, 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ._cache_WINDOWS.EXE, 0000000B.00000002.562480973.00000000059E0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ._cache_WINDOWS.EXE, 0000000B.00000002.561753594.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ._cache_WINDOWS.EXE, 0000000B.00000002.561753594.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: ._cache_WINDOWS.EXE, 0000000B.00000002.558823372.00000000005B2000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ._cache_WINDOWS.EXE, 0000000B.00000002.562031611.0000000004F70000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ._cache_WINDOWS.EXE, 0000000B.00000002.562031611.0000000004F70000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: ._cache_WINDOWS.EXE, 0000000B.00000002.560829147.0000000002B91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ._cache_WINDOWS.EXE, 0000000B.00000002.560829147.0000000002B91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Synaptics.exe, 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: Synaptics.exe, 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ._cache_WINDOWS.EXE, 00000010.00000000.349954370.0000000000D72000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ._cache_WINDOWS.EXE, 00000010.00000002.376096056.0000000004331000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ._cache_WINDOWS.EXE, 00000010.00000002.376096056.0000000004331000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: ._cache_WINDOWS.EXE, 00000010.00000002.375988189.0000000003331000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: ._cache_WINDOWS.EXE, 00000010.00000002.375988189.0000000003331000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000013.00000002.380515314.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000013.00000002.381330192.00000000045D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000013.00000002.381330192.00000000045D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000013.00000002.381281938.00000000035D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000013.00000002.381281938.00000000035D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Synaptics.exe, 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: Synaptics.exe, 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: Synaptics.exe, 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Yara detected Nanocore RAT
Source: Yara match File source: 11.0.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.584130.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.._cache_WINDOWS.EXE.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.29.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.584130.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4dba750.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.59e0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.584130.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.5b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cb40a4.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.46231f5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.584130.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.584130.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.32.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4b8e54.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.28.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45f40a4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.27.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.44fa750.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.34.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.48e4dc.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4b8e54.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.._cache_WINDOWS.EXE.437ebcc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.28.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.29.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.3be31f5.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.584130.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4c4d1c.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.584130.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cbff6c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4b8e54.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.4619d96.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.4b8e54.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4cb40a4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.461ebcc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.584130.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.584130.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.3bd9d96.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.45da750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.31.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.33.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4c4d1c.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.584130.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4c4d1c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45fff6c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46d40a4.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.59e0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.44fa750.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.3cf0c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.._cache_WINDOWS.EXE.4379d96.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.584130.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.584130.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.584130.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.._cache_y8kdmHi6x3.exe.48e4dc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.19.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.._cache_y8kdmHi6x3.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.._cache_WINDOWS.EXE.43831f5.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.45da750.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.WINDOWS.EXE.4b8e14.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.584130.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.59e4629.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.34.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.y8kdmHi6x3.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46d40a4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4eb40a4.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.4b8e54.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.584130.32.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.dhcpmon.exe.461ebcc.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.WINDOWS.EXE.4b8e14.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.y8kdmHi6x3.exe.45f40a4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4bba750.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.Synaptics.exe.584130.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.._cache_WINDOWS.EXE.3bdebcc.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.4b8e54.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.WINDOWS.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.Synaptics.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.4c4d1c.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.0.Synaptics.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.Synaptics.exe.46dff6c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4ebff6c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.4c4d1c.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.4b8e54.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.Synaptics.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.y8kdmHi6x3.exe.400000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Synaptics.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4eb40a4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Synaptics.exe.4dba750.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Synaptics.exe.4bba750.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.380515314.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.406005434.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.401049585.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.349954370.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000000.430706138.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.401578463.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.337978553.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.562480973.00000000059E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.404128666.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.412834234.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.415586772.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.392435877.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.420990382.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.356343368.0000000000E22000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.439856260.0000000000F32000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.388059549.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.431447633.00000000000FF000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.561753594.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.329629304.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.460036376.0000000003ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.441301976.00000000004A5000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.439738650.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.390475509.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.417653653.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.386810827.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.381330192.00000000045D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.558823372.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.422157438.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.441431426.0000000003711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.384287270.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.526679054.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.400361614.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.400197509.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.334103669.00000000005B2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.376096056.0000000004331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.436004480.0000000000832000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.459917090.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.406913050.0000000000E7F000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.429485363.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.374769254.0000000000D72000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000000.443173289.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.317487314.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.459034432.00000000008E2000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.323345675.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.441940953.0000000004711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.401818941.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.440103209.0000000003F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.329527934.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.330595199.00000000003CF000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.316599175.00000000004A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.375988189.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.381281938.00000000035D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.439646112.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.405483096.00000000004A5000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.404592341.0000000004B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.434303523.0000000004D59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.423679022.0000000004579000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.330915609.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: y8kdmHi6x3.exe PID: 5268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: y8kdmHi6x3.exe PID: 4844, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ._cache_y8kdmHi6x3.exe PID: 6232, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 6964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WINDOWS.EXE PID: 7016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ._cache_WINDOWS.EXE PID: 6580, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 4928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 6632, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ._cache_WINDOWS.EXE PID: 6692, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5244, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 5684, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 4964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Synaptics.exe PID: 5976, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\Desktop\._cache_WINDOWS.EXE, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\._cache_y8kdmHi6x3.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\WINDOWS.EXE, type: DROPPED
Source: Yara match File source: C:\ProgramData\Synaptics\._cache_Synaptics.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\._cache_Synaptics.exe, type: DROPPED
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Users\user\Desktop\y8kdmHi6x3.exe Code function: cmd.exe /C 4_2_00475384
Source: C:\Users\user\Desktop\WINDOWS.EXE Code function: cmd.exe /C 9_2_00475384
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 560001 Sample: y8kdmHi6x3.exe Startdate: 26/01/2022 Architecture: WINDOWS Score: 100 90 saw4.playit.gg 2->90 92 chivalrous-condition.auto.playit.gg 2->92 94 agonizing-bat.auto.playit.gg 2->94 114 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->114 116 Malicious sample detected (through community Yara rule) 2->116 118 Antivirus detection for dropped file 2->118 120 14 other signatures 2->120 12 y8kdmHi6x3.exe 3 2->12         started        16 Synaptics.exe 2->16         started        18 ._cache_WINDOWS.EXE 2->18         started        20 dhcpmon.exe 2->20         started        signatures3 process4 file5 78 C:\Users\user\AppData\...\y8kdmHi6x3.exe.log, ASCII 12->78 dropped 128 Antivirus detection for dropped file 12->128 130 Machine Learning detection for dropped file 12->130 22 y8kdmHi6x3.exe 1 5 12->22         started        25 Synaptics.exe 16->25         started        signatures6 process7 file8 70 C:\Users\user\...\._cache_y8kdmHi6x3.exe, PE32 22->70 dropped 72 C:\ProgramData\Synaptics\Synaptics.exe, PE32 22->72 dropped 74 C:\...\Synaptics.exe:Zone.Identifier, ASCII 22->74 dropped 27 ._cache_y8kdmHi6x3.exe 3 22->27         started        32 Synaptics.exe 3 22->32         started        76 C:\ProgramData\...\._cache_Synaptics.exe, PE32 25->76 dropped process9 dnsIp10 108 192.168.2.1 unknown unknown 27->108 80 C:\Users\user\Desktop\WINDOWS.EXE, PE32 27->80 dropped 82 C:\Users\user\Desktop\SYSTEM32.EXE, PE32 27->82 dropped 132 Antivirus detection for dropped file 27->132 134 Machine Learning detection for dropped file 27->134 34 WINDOWS.EXE 2 27->34         started        38 SYSTEM32.EXE 2 27->38         started        136 Multi AV Scanner detection for dropped file 32->136 138 Drops PE files to the document folder of the user 32->138 140 Injects a PE file into a foreign processes 32->140 41 Synaptics.exe 32->41         started        file11 signatures12 process13 dnsIp14 60 C:\Users\user\Desktop\._cache_WINDOWS.EXE, PE32 34->60 dropped 122 Antivirus detection for dropped file 34->122 124 Machine Learning detection for dropped file 34->124 126 Contains functionality to detect sleep reduction / modifications 34->126 43 ._cache_WINDOWS.EXE 34->43         started        48 Synaptics.exe 34->48         started        96 saw4.playit.gg 54.38.136.57, 48129, 49749, 49751 OVHFR France 38->96 98 127.0.0.1 unknown unknown 38->98 100 agonizing-bat.auto.playit.gg 38->100 102 docs.google.com 142.250.186.46, 443, 49765, 49766 GOOGLEUS United States 41->102 104 freedns.afraid.org 69.42.215.252, 49768, 80 AWKNET-LLCUS United States 41->104 106 xred.mooo.com 41->106 62 C:\Users\user\Documents\BNAGMGSPLO\~$cache1, PE32 41->62 dropped 64 C:\Users\user\Desktop\y8kdmHi6x3.exe, PE32 41->64 dropped 66 C:\Users\user\Desktop\._cache_Synaptics.exe, PE32 41->66 dropped 68 5 other malicious files 41->68 dropped file15 signatures16 process17 dnsIp18 110 saw4.playit.gg 43->110 112 chivalrous-condition.auto.playit.gg 43->112 84 C:\Program Files (x86)\...\dhcpmon.exe, PE32 43->84 dropped 86 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 43->86 dropped 88 C:\Users\user\AppData\Local\...\tmp939D.tmp, XML 43->88 dropped 142 Antivirus detection for dropped file 43->142 144 Multi AV Scanner detection for dropped file 43->144 146 Machine Learning detection for dropped file 43->146 150 2 other signatures 43->150 50 schtasks.exe 43->50         started        52 schtasks.exe 43->52         started        148 Injects a PE file into a foreign processes 48->148 54 Synaptics.exe 48->54         started        file19 signatures20 process21 process22 56 conhost.exe 50->56         started        58 conhost.exe 52->58         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.186.46
 docs.google.com United States
15169 GOOGLEUS false
54.38.136.57
 saw4.playit.gg France
16276 OVHFR false
69.42.215.252
 freedns.afraid.org United States
17048 AWKNET-LLCUS false

Private

IP
192.168.2.1
127.0.0.1

Contacted Domains

Name IP Active
freedns.afraid.org 69.42.215.252 true
docs.google.com 142.250.186.46 true
saw4.playit.gg 54.38.136.57 true
chivalrous-condition.auto.playit.gg unknown unknown
agonizing-bat.auto.playit.gg unknown unknown
xred.mooo.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978 false
    		high