Source: C:\Users\user\Desktop\OFFER.exe |
Code function: 0_2_00723AED |
0_2_00723AED |
Source: C:\Users\user\Desktop\OFFER.exe |
Code function: 0_2_02A209C8 |
0_2_02A209C8 |
Source: C:\Users\user\Desktop\OFFER.exe |
Code function: 0_2_02A21D2E |
0_2_02A21D2E |
Source: C:\Users\user\Desktop\OFFER.exe |
Code function: 0_2_02A209CD |
0_2_02A209CD |
Source: C:\Users\user\Desktop\OFFER.exe |
Code function: 0_2_02A231D8 |
0_2_02A231D8 |
Source: C:\Users\user\Desktop\OFFER.exe |
Code function: 0_2_02A28EA8 |
0_2_02A28EA8 |
Source: C:\Users\user\Desktop\OFFER.exe |
Code function: 0_2_02A28FB2 |
0_2_02A28FB2 |
Source: C:\Users\user\Desktop\OFFER.exe |
Code function: 0_2_02A22F88 |
0_2_02A22F88 |
Source: C:\Users\user\Desktop\OFFER.exe |
Code function: 0_2_02A22F77 |
0_2_02A22F77 |
Source: C:\Users\user\Desktop\OFFER.exe |
Code function: 0_2_02A23C32 |
0_2_02A23C32 |
Source: C:\Users\user\Desktop\OFFER.exe |
Code function: 0_2_02A2E598 |
0_2_02A2E598 |
Source: C:\Users\user\Desktop\OFFER.exe |
Code function: 0_2_00722050 |
0_2_00722050 |
Source: OFFER.exe, 00000000.00000000.202703558.00000000007B4000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenamemQWh.exe8 vs OFFER.exe |
Source: OFFER.exe, 00000000.00000002.212114802.0000000004FF0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamemscorrc.dllT vs OFFER.exe |
Source: OFFER.exe, 00000000.00000002.213553763.0000000005BC0000.00000002.00000001.sdmp |
Binary or memory string: System.OriginalFileName vs OFFER.exe |
Source: OFFER.exe, 00000000.00000002.212759761.0000000005460000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameKedermister.dllT vs OFFER.exe |
Source: OFFER.exe, 00000000.00000002.214012672.0000000005CC0000.00000002.00000001.sdmp |
Binary or memory string: originalfilename vs OFFER.exe |
Source: OFFER.exe, 00000000.00000002.214012672.0000000005CC0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs OFFER.exe |
Source: OFFER.exe, 00000000.00000002.212203919.0000000005050000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameexag vs OFFER.exe |
Source: OFFER.exe, 00000003.00000000.208615410.0000000001024000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenamemQWh.exe8 vs OFFER.exe |
Source: OFFER.exe |
Binary or memory string: OriginalFilenamemQWh.exe8 vs OFFER.exe |
Source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000000.00000002.211065928.0000000003EA1000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: OFFER.exe, IdManager.cs |
Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: RplepwTnfZYE.exe.0.dr, IdManager.cs |
Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: 0.2.OFFER.exe.720000.0.unpack, IdManager.cs |
Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: 0.0.OFFER.exe.720000.0.unpack, IdManager.cs |
Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: 3.0.OFFER.exe.f90000.0.unpack, IdManager.cs |
Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: C:\Users\user\Desktop\OFFER.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4084:120:WilError_01 |
Source: C:\Users\user\Desktop\OFFER.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Global\{e9662336-59a2-4ebb-989e-7c602bdb23a8} |
Source: C:\Users\user\Desktop\OFFER.exe |
Mutant created: \Sessions\1\BaseNamedObjects\qkUPEOxutgScEw |
Source: C:\Users\user\Desktop\OFFER.exe |
Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\OFFER.exe 'C:\Users\user\Desktop\OFFER.exe' |
|
Source: unknown |
Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RplepwTnfZYE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp' |
|
Source: unknown |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Users\user\Desktop\OFFER.exe C:\Users\user\Desktop\OFFER.exe |
|
Source: C:\Users\user\Desktop\OFFER.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RplepwTnfZYE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB5D6.tmp' |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process created: C:\Users\user\Desktop\OFFER.exe C:\Users\user\Desktop\OFFER.exe |
Jump to behavior |
Source: OFFER.exe, IdManager.cs |
.Net Code: Remoting_Identity_IDGuid System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: RplepwTnfZYE.exe.0.dr, IdManager.cs |
.Net Code: Remoting_Identity_IDGuid System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 0.2.OFFER.exe.720000.0.unpack, IdManager.cs |
.Net Code: Remoting_Identity_IDGuid System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 0.0.OFFER.exe.720000.0.unpack, IdManager.cs |
.Net Code: Remoting_Identity_IDGuid System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 3.0.OFFER.exe.f90000.0.unpack, IdManager.cs |
.Net Code: Remoting_Identity_IDGuid System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OFFER.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp |
Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp |
Binary or memory string: vmware |
Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp |
Binary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id |
Source: OFFER.exe, 00000000.00000002.210666466.0000000002EA1000.00000004.00000001.sdmp |
Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools |