Source: 0.2.13efMb6ayq.exe.4984be8.4.raw.unpack |
Malware Configuration Extractor: NanoCore {"Version": ".0.0.0,", "Mutex": "a7fa722b-7dae-45b1-afa6-302155a5", "Group": "Default", "Domain1": "wespeaktruthtoman.sytes.net", "Domain2": "wespeaktruthtoman12.sytes.net", "Port": 5600, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"} |
Source: Yara match |
File source: 00000000.00000002.244161403.0000000003AB1000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.247174227.00000000047E3000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 13efMb6ayq.exe PID: 4664, type: MEMORY |
Source: Yara match |
File source: 0.2.13efMb6ayq.exe.4984be8.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.13efMb6ayq.exe.4984be8.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.13efMb6ayq.exe.47e3168.3.raw.unpack, type: UNPACKEDPE |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h |
0_2_01191690 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h |
0_2_011915A0 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h |
0_2_01191638 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 4x nop then mov ecx, dword ptr [ebp-38h] |
0_2_053D6F54 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 4x nop then mov ecx, dword ptr [ebp-38h] |
0_2_053DA988 |
Source: 13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp |
String found in binary or memory: http://checkip.dyndns.org/ |
Source: 13efMb6ayq.exe, 00000000.00000002.243990693.0000000002FC0000.00000004.00000001.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: 13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp |
String found in binary or memory: http://servermanager.miixit.org/1 |
Source: 13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp |
String found in binary or memory: http://servermanager.miixit.org/downloads/ |
Source: 13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp |
String found in binary or memory: http://servermanager.miixit.org/hits/hit_index.php?k= |
Source: 13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp |
String found in binary or memory: http://servermanager.miixit.org/index_ru.html |
Source: 13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp |
String found in binary or memory: http://servermanager.miixit.org/index_ru.htmlc |
Source: 13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp |
String found in binary or memory: http://servermanager.miixit.org/report/reporter_index.php?name= |
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp |
String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css |
Source: 13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp |
String found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC |
Source: 13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp |
String found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC5http://servermana |
Source: Yara match |
File source: 00000000.00000002.244161403.0000000003AB1000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.247174227.00000000047E3000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 13efMb6ayq.exe PID: 4664, type: MEMORY |
Source: Yara match |
File source: 0.2.13efMb6ayq.exe.4984be8.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.13efMb6ayq.exe.4984be8.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.13efMb6ayq.exe.47e3168.3.raw.unpack, type: UNPACKEDPE |
Source: 00000000.00000002.244161403.0000000003AB1000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000000.00000002.244161403.0000000003AB1000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000000.00000002.247174227.00000000047E3000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000000.00000002.247174227.00000000047E3000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: Process Memory Space: 13efMb6ayq.exe PID: 4664, type: MEMORY |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: Process Memory Space: 13efMb6ayq.exe PID: 4664, type: MEMORY |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0.2.13efMb6ayq.exe.4984be8.4.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 0.2.13efMb6ayq.exe.4984be8.4.unpack, type: UNPACKEDPE |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0.2.13efMb6ayq.exe.4984be8.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 0.2.13efMb6ayq.exe.4984be8.4.raw.unpack, type: UNPACKEDPE |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0.2.13efMb6ayq.exe.47e3168.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 0.2.13efMb6ayq.exe.47e3168.3.raw.unpack, type: UNPACKEDPE |
Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_011935F8 |
0_2_011935F8 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_0119B010 |
0_2_0119B010 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_01192440 |
0_2_01192440 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_011918B0 |
0_2_011918B0 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_011904F9 |
0_2_011904F9 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_01192BB0 |
0_2_01192BB0 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_011965B8 |
0_2_011965B8 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_011965C8 |
0_2_011965C8 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_01196C31 |
0_2_01196C31 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_01195370 |
0_2_01195370 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_01195360 |
0_2_01195360 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_011923A0 |
0_2_011923A0 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_011967D9 |
0_2_011967D9 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_011967E8 |
0_2_011967E8 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_01196211 |
0_2_01196211 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_01196A10 |
0_2_01196A10 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_01196A00 |
0_2_01196A00 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_053D1F50 |
0_2_053D1F50 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_053D5668 |
0_2_053D5668 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_053D8070 |
0_2_053D8070 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_053D1F41 |
0_2_053D1F41 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_05A98908 |
0_2_05A98908 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_05A94560 |
0_2_05A94560 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_05A99008 |
0_2_05A99008 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_05A94078 |
0_2_05A94078 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_05A97FD8 |
0_2_05A97FD8 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_05A9A69D |
0_2_05A9A69D |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_05A99638 |
0_2_05A99638 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_05A98192 |
0_2_05A98192 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_05A9312D |
0_2_05A9312D |
Source: 13efMb6ayq.exe |
Binary or memory string: OriginalFilename vs 13efMb6ayq.exe |
Source: 13efMb6ayq.exe, 00000000.00000002.250794149.00000000053F0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameDSASignature.dll@ vs 13efMb6ayq.exe |
Source: 13efMb6ayq.exe, 00000000.00000002.243990693.0000000002FC0000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameIRuntimeMethodInfo.exeF vs 13efMb6ayq.exe |
Source: 13efMb6ayq.exe, 00000000.00000002.243990693.0000000002FC0000.00000004.00000001.sdmp |
Binary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs 13efMb6ayq.exe |
Source: 13efMb6ayq.exe, 00000000.00000002.251326518.0000000006060000.00000002.00000001.sdmp |
Binary or memory string: originalfilename vs 13efMb6ayq.exe |
Source: 13efMb6ayq.exe, 00000000.00000002.251326518.0000000006060000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 13efMb6ayq.exe |
Source: 13efMb6ayq.exe, 00000000.00000002.251181665.0000000005F60000.00000002.00000001.sdmp |
Binary or memory string: System.OriginalFileName vs 13efMb6ayq.exe |
Source: 13efMb6ayq.exe, 00000000.00000002.243269353.0000000002AB1000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenameSimpleUI.dll( vs 13efMb6ayq.exe |
Source: 13efMb6ayq.exe |
Binary or memory string: OriginalFilenameIRuntimeMethodInfo.exeF vs 13efMb6ayq.exe |
Source: 00000000.00000002.244161403.0000000003AB1000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000000.00000002.244161403.0000000003AB1000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 00000000.00000002.247174227.00000000047E3000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000000.00000002.247174227.00000000047E3000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: Process Memory Space: 13efMb6ayq.exe PID: 4664, type: MEMORY |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: Process Memory Space: 13efMb6ayq.exe PID: 4664, type: MEMORY |
Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 0.2.13efMb6ayq.exe.4984be8.4.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 0.2.13efMb6ayq.exe.4984be8.4.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.2.13efMb6ayq.exe.4984be8.4.unpack, type: UNPACKEDPE |
Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 0.2.13efMb6ayq.exe.4984be8.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 0.2.13efMb6ayq.exe.4984be8.4.raw.unpack, type: UNPACKEDPE |
Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 0.2.13efMb6ayq.exe.47e3168.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 0.2.13efMb6ayq.exe.47e3168.3.raw.unpack, type: UNPACKEDPE |
Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp |
Binary or memory string: Select * from Clientes WHERE id=@id;; |
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp |
Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data); |
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp |
Binary or memory string: Select * from SecurityLogonType WHERE id=@id; |
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp |
Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo; |
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp |
Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade); |
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp |
Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone); |
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp |
Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data); |
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp |
Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor); |
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp |
Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo) |
Source: unknown |
Process created: C:\Users\user\Desktop\13efMb6ayq.exe 'C:\Users\user\Desktop\13efMb6ayq.exe' |
|
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KdoySzebyGeRTO' /XML 'C:\Users\user\AppData\Local\Temp\tmpE80E.tmp' |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
|
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KdoySzebyGeRTO' /XML 'C:\Users\user\AppData\Local\Temp\tmpE80E.tmp' |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_008413CC push ebp; iretd |
0_2_008413CD |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_00841B18 push edi; ret |
0_2_00841B2A |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_01198174 push es; ret |
0_2_0119817A |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_011984E0 push ebp; iretd |
0_2_011984E1 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_011940E6 push esi; ret |
0_2_011940E7 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_0119931D push edi; ret |
0_2_0119931E |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_01199327 push edi; ret |
0_2_01199328 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_053DE071 pushad ; ret |
0_2_053DE083 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_053DDD59 push es; ret |
0_2_053DDD5A |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_053DDD5B push es; ret |
0_2_053DDD62 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_053DDD41 push es; ret |
0_2_053DDD42 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_053DDD43 push es; ret |
0_2_053DDD4A |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_053D9ED8 pushfd ; ret |
0_2_053D9EE1 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Code function: 0_2_05A91DCE push edx; retf |
0_2_05A91DD0 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp |
Binary or memory string: vmware |
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp |
Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp |
Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools |
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp |
Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath " |
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp |
Binary or memory string: VMWARE |
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp |
Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: 13efMb6ayq.exe, 00000000.00000003.242407864.0000000000D20000.00000004.00000001.sdmp |
Binary or memory string: en_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f:y |
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp |
Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum |
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp |
Binary or memory string: VMware SVGA II |
Source: 13efMb6ayq.exe, 00000000.00000002.243331566.0000000002B03000.00000004.00000001.sdmp |
Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Queries volume information: C:\Users\user\Desktop\13efMb6ayq.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\13efMb6ayq.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Jump to behavior |
Source: Yara match |
File source: 00000000.00000002.244161403.0000000003AB1000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.247174227.00000000047E3000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 13efMb6ayq.exe PID: 4664, type: MEMORY |
Source: Yara match |
File source: 0.2.13efMb6ayq.exe.4984be8.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.13efMb6ayq.exe.4984be8.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.13efMb6ayq.exe.47e3168.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.244161403.0000000003AB1000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.247174227.00000000047E3000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 13efMb6ayq.exe PID: 4664, type: MEMORY |
Source: Yara match |
File source: 0.2.13efMb6ayq.exe.4984be8.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.13efMb6ayq.exe.4984be8.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.13efMb6ayq.exe.47e3168.3.raw.unpack, type: UNPACKEDPE |