Source: Traffic | Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49701 |
Source: Traffic | Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49701 -> 45.132.106.37:6445 |
Source: Traffic | Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49702 -> 45.132.106.37:6445 |
Source: Traffic | Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49702 |
Source: Traffic | Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49703 -> 45.132.106.37:6445 |
Source: Traffic | Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.5:49703 -> 45.132.106.37:6445 |
Source: Traffic | Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49707 |
Source: Traffic | Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49707 -> 45.132.106.37:6445 |
Source: Traffic | Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49709 -> 45.132.106.37:6445 |
Source: Traffic | Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 45.132.106.37:6445 -> 192.168.2.5:49709 |
Source: Traffic | Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49710 -> 45.132.106.37:6445 |
Source: Traffic | Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49711 |
Source: Traffic | Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49711 -> 45.132.106.37:6445 |
Source: Traffic | Snort IDS: 2823337 ETPRO TROJAN Nanocore Checkin Pattern 192.168.2.5:49711 -> 45.132.106.37:6445 |
Source: Traffic | Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49712 |
Source: Traffic | Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49712 -> 45.132.106.37:6445 |
Source: Traffic | Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49716 |
Source: Traffic | Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49716 -> 45.132.106.37:6445 |
Source: Traffic | Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49717 |
Source: Traffic | Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49717 -> 45.132.106.37:6445 |
Source: Traffic | Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49719 |
Source: Traffic | Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49719 -> 45.132.106.37:6445 |
Source: Traffic | Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49720 |
Source: Traffic | Snort IDS: 2810451 ETPRO TROJAN NanoCore RAT Keepalive Response 3 45.132.106.37:6445 -> 192.168.2.5:49720 |
Source: Traffic | Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49720 -> 45.132.106.37:6445 |
Source: Traffic | Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49722 -> 45.132.106.37:6445 |
Source: Traffic | Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.5:49722 -> 45.132.106.37:6445 |
Source: Traffic | Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49723 -> 45.132.106.37:6445 |
Source: Traffic | Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49725 |
Source: Traffic | Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49725 -> 45.132.106.37:6445 |
Source: Traffic | Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49726 |
Source: Traffic | Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49726 -> 45.132.106.37:6445 |
Source: Traffic | Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49727 |
Source: Traffic | Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49727 -> 45.132.106.37:6445 |
Source: Traffic | Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49729 |
Source: Traffic | Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49729 -> 45.132.106.37:6445 |
Source: Traffic | Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49730 -> 45.132.106.37:6445 |
Source: Traffic | Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49731 |
Source: Traffic | Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49731 -> 45.132.106.37:6445 |
Source: Traffic | Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49733 |
Source: Traffic | Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49733 -> 45.132.106.37:6445 |
Source: Traffic | Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49734 -> 45.132.106.37:6445 |
Source: Traffic | Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49735 |
Source: Traffic | Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49735 -> 45.132.106.37:6445 |
Source: Traffic | Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 45.132.106.37:6445 -> 192.168.2.5:49736 |
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe | Code function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, |
Source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems) |
Source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE | Matched rule: Detects NanoCore Author: ditekSHen |
Source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown |
Source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems) |
Source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects NanoCore Author: ditekSHen |
Source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown |
Source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems) |
Source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE | Matched rule: Detects NanoCore Author: ditekSHen |
Source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown |
Source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems) |
Source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE | Matched rule: Detects NanoCore Author: ditekSHen |
Source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown |
Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems) |
Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects NanoCore Author: ditekSHen |
Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown |
Source: Process Memory Space: tohjyweui.exe PID: 5884, type: MEMORYSTR | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems) |
Source: Process Memory Space: tohjyweui.exe PID: 5884, type: MEMORYSTR | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: Process Memory Space: tohjyweui.exe PID: 5884, type: MEMORYSTR | Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown |
Source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore |
Source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 1.2.tohjyweui.exe.643658.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23 |
Source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore |
Source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 1.2.tohjyweui.exe.630000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23 |
Source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore |
Source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 1.2.tohjyweui.exe.643658.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23 |
Source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore |
Source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 1.2.tohjyweui.exe.630000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23 |
Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore |
Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 00000001.00000002.320288694.0000000000630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23 |
Source: Process Memory Space: tohjyweui.exe PID: 5884, type: MEMORYSTR | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: Process Memory Space: tohjyweui.exe PID: 5884, type: MEMORYSTR | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: Process Memory Space: tohjyweui.exe PID: 5884, type: MEMORYSTR | Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23 |
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe | Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe | Code function: 0_2_00406D5F |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_009D00A7 |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_009F78A4 |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_009CE8A2 |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_009CF9B4 |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_009B59D3 |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_009E11E1 |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_009CF289 |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_009D0BA1 |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_009CEBEA |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_009D041B |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_009CFD42 |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_009CF617 |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_009D0780 |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_009D0FD1 |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_009EFF1F |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_009EEF20 |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_009CEF41 |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_00600F9C |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_00601247 |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009B00A7 |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009B041B |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009B0780 |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009AE8A2 |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009DAA75 |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009B0BA1 |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009AEBEA |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009B0FD1 |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009CEF20 |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009C8F5E |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009AEF41 |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009DAF71 |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009C11E1 |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009AF289 |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009DB389 |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009CF430 |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009AF617 |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009DB7BE |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009D78A4 |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009CF870 |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009AF9B4 |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009959D3 |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009DBBF3 |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009CDB32 |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009AFD42 |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009CFF1F |
Source: unknown | Process created: C:\Users\user\Desktop\lb64Iy4W4e.exe C:\Users\user\Desktop\lb64Iy4W4e.exe |
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe | Process created: C:\Users\user\AppData\Local\Temp\tohjyweui.exe "C:\Users\user\AppData\Local\Temp\tohjyweui.exe" C:\Users\user\AppData\Local\Temp\fwbfw.c |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process created: C:\Users\user\AppData\Local\Temp\tohjyweui.exe C:\Users\user\AppData\Local\Temp\tohjyweui.exe |
Source: unknown | Process created: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe "C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe" "C:\Users\user\AppData\Local\Temp\tohjyweui.exe" C:\Users\user\A |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 632 |
Source: unknown | Process created: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe "C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe" "C:\Users\user\AppData\Local\Temp\tohjyweui.exe" C:\Users\user\A |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5408 -s 604 |
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe | Process created: C:\Users\user\AppData\Local\Temp\tohjyweui.exe "C:\Users\user\AppData\Local\Temp\tohjyweui.exe" C:\Users\user\AppData\Local\Temp\fwbfw.c |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process created: C:\Users\user\AppData\Local\Temp\tohjyweui.exe C:\Users\user\AppData\Local\Temp\tohjyweui.exe |
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe | Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: GetTickCount |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: Kernel32.dll |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: Sleep |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: Kernel32.dll |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: VirtualAlloc |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: Kernel32.dll |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: Embedding |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: regserver |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: unregserver |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: unregister |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: unreg |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: package |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: ACTION=ADMIN |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: uninstall |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: update |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: uiet |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: passive |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: help |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: REMOVE=ALL |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: REMOVE=ALL |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: @uv |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: GetTickCount |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: Kernel32.dll |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: Sleep |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: Kernel32.dll |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: VirtualAlloc |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: Kernel32.dll |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: Embedding |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: regserver |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: unregserver |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: unregister |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: unreg |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: package |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: ACTION=ADMIN |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: uninstall |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: update |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: uiet |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: passive |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: help |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: REMOVE=ALL |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: REMOVE=ALL |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Command line argument: @uv |
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_009D9BCC mov ecx, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_009E6DA6 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_0060005F mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_0060017B mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_0060013E mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_00600109 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009C6BBA mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009C6BFD mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009C6B77 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009C6C58 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009C6DA6 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009C6DD7 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009C6D1E mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009C6D62 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009B9BCC mov ecx, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_009B3171 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_009B35EF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | Code function: 1_2_009DCE64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_00993306 SetUnhandledExceptionFilter, |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009BCE64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_00993171 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: 3_2_009935EF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: EnumSystemLocalesW, |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: EnumSystemLocalesW, |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: EnumSystemLocalesW, |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: GetLocaleInfoW, |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: EnumSystemLocalesW, |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: EnumSystemLocalesW, |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: EnumSystemLocalesW, |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: GetLocaleInfoW, |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: GetLocaleInfoW, |
Source: C:\Users\user\AppData\Roaming\swschqavfbk\tpyienirbwgp.exe | Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
Source: C:\Users\user\Desktop\lb64Iy4W4e.exe | Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct |
Source: C:\Users\user\AppData\Local\Temp\tohjyweui.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct |