Source: 0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack |
Malware Configuration Extractor: NanoCore {"Version": ".0.0.0,", "Mutex": "21f4355e-8257-4e77-8f1b-c822c6ea", "Group": "BUILD", "Domain1": "79.134.225.26", "Domain2": "nassiru1166main.ddns.net", "Port": 1133, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"} |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h |
0_2_04F50460 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h |
0_2_04F50451 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h |
0_2_04F505A8 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h |
0_2_04F50598 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49707 -> 79.134.225.26:1133 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49716 -> 79.134.225.26:1133 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49721 -> 79.134.225.26:1133 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49724 -> 79.134.225.26:1133 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49728 -> 79.134.225.26:1133 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49729 -> 79.134.225.26:1133 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49730 -> 79.134.225.26:1133 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49731 -> 79.134.225.26:1133 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49738 -> 79.134.225.26:1133 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49744 -> 79.134.225.26:1133 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49745 -> 79.134.225.26:1133 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49746 -> 79.134.225.26:1133 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49750 -> 79.134.225.26:1133 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49759 -> 79.134.225.26:1133 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49760 -> 79.134.225.26:1133 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49761 -> 79.134.225.26:1133 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49762 -> 79.134.225.26:1133 |
Source: Traffic |
Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49763 -> 79.134.225.26:1133 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 79.134.225.26 |
Source: 00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack, type: UNPACKEDPE |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0.2.b2NaDSFu9T.exe.41a1120.2.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 0.2.b2NaDSFu9T.exe.41a1120.2.unpack, type: UNPACKEDPE |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B94290 |
0_2_02B94290 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B92620 |
0_2_02B92620 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B97468 |
0_2_02B97468 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B93988 |
0_2_02B93988 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B93180 |
0_2_02B93180 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B95130 |
0_2_02B95130 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B94282 |
0_2_02B94282 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B96AF8 |
0_2_02B96AF8 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B96AE8 |
0_2_02B96AE8 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B97ED0 |
0_2_02B97ED0 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B95E28 |
0_2_02B95E28 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B96E20 |
0_2_02B96E20 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B9BA20 |
0_2_02B9BA20 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B95E19 |
0_2_02B95E19 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B92610 |
0_2_02B92610 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B96E10 |
0_2_02B96E10 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B97268 |
0_2_02B97268 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B97258 |
0_2_02B97258 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B97E54 |
0_2_02B97E54 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B94FFF |
0_2_02B94FFF |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B930D0 |
0_2_02B930D0 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B9BC38 |
0_2_02B9BC38 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B95038 |
0_2_02B95038 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B97018 |
0_2_02B97018 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B97008 |
0_2_02B97008 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B97459 |
0_2_02B97459 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B9B598 |
0_2_02B9B598 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B93DE8 |
0_2_02B93DE8 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B93938 |
0_2_02B93938 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B93978 |
0_2_02B93978 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_04F50133 |
0_2_04F50133 |
Source: b2NaDSFu9T.exe |
Binary or memory string: OriginalFilename vs b2NaDSFu9T.exe |
Source: b2NaDSFu9T.exe, 00000000.00000002.263411006.0000000005260000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameSimpleUI.dll( vs b2NaDSFu9T.exe |
Source: b2NaDSFu9T.exe, 00000000.00000002.263841980.00000000057A0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameDSASignature.dll@ vs b2NaDSFu9T.exe |
Source: b2NaDSFu9T.exe, 00000000.00000002.263181372.0000000005110000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamemscorrc.dllT vs b2NaDSFu9T.exe |
Source: b2NaDSFu9T.exe, 00000000.00000002.258151442.0000000001069000.00000004.00000020.sdmp |
Binary or memory string: OriginalFilenamemscorwks.dllT vs b2NaDSFu9T.exe |
Source: b2NaDSFu9T.exe |
Binary or memory string: OriginalFilenameInterfaceTypeAttribute.exe6 vs b2NaDSFu9T.exe |
Source: 00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000000.00000002.260256472.0000000003F11000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 0.2.b2NaDSFu9T.exe.41a1120.2.raw.unpack, type: UNPACKEDPE |
Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 0.2.b2NaDSFu9T.exe.41a1120.2.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 0.2.b2NaDSFu9T.exe.41a1120.2.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.2.b2NaDSFu9T.exe.41a1120.2.unpack, type: UNPACKEDPE |
Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp |
Jump to behavior |
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp |
Binary or memory string: Select * from Clientes WHERE id=@id;; |
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp |
Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data); |
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp |
Binary or memory string: Select * from SecurityLogonType WHERE id=@id; |
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp |
Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo; |
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp |
Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade); |
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp |
Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone); |
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp |
Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data); |
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp |
Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor); |
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp |
Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo) |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_007C8A79 push cs; iretd |
0_2_007C8BA4 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_007C9E79 push cs; retf |
0_2_007C9E84 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_007C9477 push cs; ret |
0_2_007C9484 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_007C9E87 push cs; retf |
0_2_007C9EA0 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Code function: 0_2_02B99072 push cs; ret |
0_2_02B99073 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp |
Binary or memory string: vmware |
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp |
Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp |
Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools |
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp |
Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath " |
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp |
Binary or memory string: VMWARE |
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp |
Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp |
Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum |
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp |
Binary or memory string: VMware SVGA II |
Source: b2NaDSFu9T.exe, 00000000.00000002.258945318.0000000002F4B000.00000004.00000001.sdmp |
Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000 |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000 |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000 |
Jump to behavior |
Source: C:\Users\user\Desktop\b2NaDSFu9T.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 824008 |
Jump to behavior |