Click to jump to signature section
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack | Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "4189f41b-a3e5-405b-b524-4758becc", "Group": "2022", "Domain1": "107.173.60.45", "Domain2": "sys2021.linkpc.net", "Port": 54955, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"} |
Source: Yara match | File source: ZgzIenrtf5.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: ZgzIenrtf5.exe PID: 3764, type: MEMORYSTR |
Source: ZgzIenrtf5.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED |
Source: | Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49760 -> 107.173.60.45:54955 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49764 -> 107.173.60.45:54955 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49765 -> 107.173.60.45:54955 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49766 -> 107.173.60.45:54955 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49767 -> 107.173.60.45:54955 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49770 -> 107.173.60.45:54955 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49771 -> 107.173.60.45:54955 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49772 -> 107.173.60.45:54955 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49773 -> 107.173.60.45:54955 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49780 -> 107.173.60.45:54955 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49782 -> 107.173.60.45:54955 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49790 -> 107.173.60.45:54955 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49792 -> 107.173.60.45:54955 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49800 -> 107.173.60.45:54955 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49816 -> 107.173.60.45:54955 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49833 -> 107.173.60.45:54955 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49835 -> 107.173.60.45:54955 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49836 -> 107.173.60.45:54955 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49851 -> 107.173.60.45:54955 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49864 -> 107.173.60.45:54955 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49865 -> 107.173.60.45:54955 |
Source: Traffic | Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49866 -> 107.173.60.45:54955 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: unknown | TCP traffic detected without corresponding DNS query: 107.173.60.45 |
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://google.com |
Source: Yara match | File source: ZgzIenrtf5.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: ZgzIenrtf5.exe PID: 3764, type: MEMORYSTR |
Source: ZgzIenrtf5.exe, type: SAMPLE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: ZgzIenrtf5.exe, type: SAMPLE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0.3.ZgzIenrtf5.exe.45dcda6.1.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 0.3.ZgzIenrtf5.exe.45f6dff.2.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0.3.ZgzIenrtf5.exe.45dcda6.1.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0.3.ZgzIenrtf5.exe.45f6dff.2.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0.3.ZgzIenrtf5.exe.45f13d1.0.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: Process Memory Space: ZgzIenrtf5.exe PID: 3764, type: MEMORYSTR | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: Process Memory Space: ZgzIenrtf5.exe PID: 3764, type: MEMORYSTR | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: ZgzIenrtf5.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED |
Source: ZgzIenrtf5.exe, type: SAMPLE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: ZgzIenrtf5.exe, type: SAMPLE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: ZgzIenrtf5.exe, type: SAMPLE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 0.3.ZgzIenrtf5.exe.45dcda6.1.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 0.3.ZgzIenrtf5.exe.45dcda6.1.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 0.3.ZgzIenrtf5.exe.45f6dff.2.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 0.3.ZgzIenrtf5.exe.45f6dff.2.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 0.3.ZgzIenrtf5.exe.45dcda6.1.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 0.3.ZgzIenrtf5.exe.45f6dff.2.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 0.3.ZgzIenrtf5.exe.45f13d1.0.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: Process Memory Space: ZgzIenrtf5.exe PID: 3764, type: MEMORYSTR | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: Process Memory Space: ZgzIenrtf5.exe PID: 3764, type: MEMORYSTR | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs ZgzIenrtf5.exe |
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs ZgzIenrtf5.exe |
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs ZgzIenrtf5.exe |
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs ZgzIenrtf5.exe |
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs ZgzIenrtf5.exe |
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs ZgzIenrtf5.exe |
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs ZgzIenrtf5.exe |
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs ZgzIenrtf5.exe |
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs ZgzIenrtf5.exe |
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs ZgzIenrtf5.exe |
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameNAudio.dll4 vs ZgzIenrtf5.exe |
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs ZgzIenrtf5.exe |
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs ZgzIenrtf5.exe |
Source: ZgzIenrtf5.exe | Virustotal: Detection: 86% |
Source: ZgzIenrtf5.exe | Metadefender: Detection: 85% |
Source: ZgzIenrtf5.exe | ReversingLabs: Detection: 100% |
Source: ZgzIenrtf5.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs | Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent() |
Source: ZgzIenrtf5.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs | Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole) |
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs | Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent() |
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs | Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole) |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\{4189f41b-a3e5-405b-b524-4758beccda47} |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking |
Source: ZgzIenrtf5.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs | Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: ZgzIenrtf5.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs | Cryptographic APIs: 'CreateDecryptor' |
Source: ZgzIenrtf5.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs | Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs | Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs | Cryptographic APIs: 'CreateDecryptor' |
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs | Cryptographic APIs: 'TransformFinalBlock' |
Source: | Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp |
Source: ZgzIenrtf5.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs | .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: ZgzIenrtf5.exe, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs | .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs | .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs | .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: ZgzIenrtf5.exe, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs | High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK' |
Source: ZgzIenrtf5.exe, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs | High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs=' |
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs | High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs=' |
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs | High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK' |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: ZgzIenrtf5.exe, 00000000.00000003.428666489.0000000001239000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.345115199.0000000001230000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.310965222.0000000001230000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.327147578.0000000001239000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.377753622.0000000001230000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.345264925.0000000001239000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: ZgzIenrtf5.exe, 00000000.00000003.377753622.0000000001230000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Program Managern has been aborted because of either a thread exit or an application request. |
Source: ZgzIenrtf5.exe, 00000000.00000003.267807619.000000000127A000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.428823908.0000000001275000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.311041106.0000000001275000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.345144821.0000000001265000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.428666489.0000000001239000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.268003698.000000000127A000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.269915949.000000000127A000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.269371251.000000000127A000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.264789773.0000000001279000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.264327717.0000000001279000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.266555878.0000000001279000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.327181994.0000000001265000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.311025603.0000000001265000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.269207163.000000000127A000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.416726966.000000000125C000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.271493996.000000000127A000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.270074289.000000000127A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Program Manager |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: Yara match | File source: ZgzIenrtf5.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: ZgzIenrtf5.exe PID: 3764, type: MEMORYSTR |
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: NanoCore.ClientPluginHost |
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeA |