Source: C:\Users\user\AppData\Local\Temp\services.exe |
Avira: detection malicious, Label: BDS/Backdoor.fszhy |
Source: C:\Windows\java.exe |
Avira: detection malicious, Label: TR/Spy.Banker.Gen |
Source: C:\Users\user\AppData\Local\Temp\tmp4F4F.tmp |
Avira: detection malicious, Label: TR/Spy.Banker.Gen |
Source: C:\Windows\services.exe |
Avira: detection malicious, Label: BDS/Backdoor.fszhy |
Source: Yara match |
File source: 0.2.mail.txt .exe.500000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.java.exe.500000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.4465723940.0000000000501000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2729074743.0000000000501000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: mail.txt .exe PID: 6968, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: java.exe PID: 3664, type: MEMORYSTR |
Source: C:\Users\user\Desktop\mail.txt .exe |
Code function: 0_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose, |
0_2_005052AD |
Source: C:\Windows\java.exe |
Code function: 3_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose, |
3_2_005052AD |
Source: C:\Users\user\Desktop\mail.txt .exe |
File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\ |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe |
File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\ |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe |
File opened: C:\Documents and Settings\user\AppData\Local\Adobe\ |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe |
File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\ |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe |
File opened: C:\Documents and Settings\user\AppData\Local\ |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe |
File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\ |
Jump to behavior |
Source: mail.txt .exe, mail.txt .exe, 00000000.00000002.2729074743.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000003.00000002.4465723940.0000000000501000.00000040.00000001.01000000.00000006.sdmp |
String found in binary or memory: http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s |
Source: mail.txt .exe, 00000000.00000002.2729074743.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, 00000003.00000002.4465723940.0000000000501000.00000040.00000001.01000000.00000006.sdmp |
String found in binary or memory: http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=web&query=%s&nbq=%dhttp://www.altavista.c |
Source: mail.txt .exe, mail.txt .exe, 00000000.00000002.2729074743.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000003.00000002.4465723940.0000000000501000.00000040.00000001.01000000.00000006.sdmp |
String found in binary or memory: http://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab= |
Source: Amcache.hve.10.dr |
String found in binary or memory: http://upx.sf.net |
Source: mail.txt .exe, mail.txt .exe, 00000000.00000002.2729074743.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000003.00000002.4465723940.0000000000501000.00000040.00000001.01000000.00000006.sdmp |
String found in binary or memory: http://www.altavista.com/web/results?q=%s&kgs=0&kls=0 |
Source: mail.txt .exe, mail.txt .exe, 00000000.00000002.2729074743.0000000000501000.00000040.00000001.01000000.00000003.sdmp, java.exe, java.exe, 00000003.00000002.4465723940.0000000000501000.00000040.00000001.01000000.00000006.sdmp |
String found in binary or memory: http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%s |
Source: Yara match |
File source: 0.2.mail.txt .exe.500000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 3.2.java.exe.500000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.4465723940.0000000000501000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2729074743.0000000000501000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: mail.txt .exe PID: 6968, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: java.exe PID: 3664, type: MEMORYSTR |
Source: mail.txt .exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Source: java.exe.0.dr |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Source: tmp4F4F.tmp.3.dr |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Source: C:\Users\user\Desktop\mail.txt .exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: napinsp.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: pnrpnsp.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: wshbth.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: nlaapi.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: winrnr.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: napinsp.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: pnrpnsp.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: wshbth.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: nlaapi.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: winrnr.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Windows\java.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe |
Section loaded: napinsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe |
Section loaded: pnrpnsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe |
Section loaded: wshbth.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe |
Section loaded: nlaapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe |
Section loaded: winrnr.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: napinsp.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: pnrpnsp.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: wshbth.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: nlaapi.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: winrnr.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Windows\services.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: mail.txt .exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Source: java.exe.0.dr |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Source: tmp4F4F.tmp.3.dr |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Source: unknown |
Process created: C:\Users\user\Desktop\mail.txt .exe C:\Users\user\Desktop\mail.txt .exe |
|
Source: C:\Users\user\Desktop\mail.txt .exe |
Process created: C:\Windows\services.exe C:\Windows\services.exe |
|
Source: unknown |
Process created: C:\Windows\java.exe "C:\Windows\java.exe" |
|
Source: C:\Windows\java.exe |
Process created: C:\Users\user\AppData\Local\Temp\services.exe C:\Users\user\AppData\Local\Temp\services.exe |
|
Source: unknown |
Process created: C:\Windows\services.exe "C:\Windows\services.exe" |
|
Source: C:\Users\user\Desktop\mail.txt .exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6968 -s 1264 |
|
Source: C:\Users\user\Desktop\mail.txt .exe |
Process created: C:\Windows\services.exe C:\Windows\services.exe |
Jump to behavior |
Source: C:\Windows\java.exe |
Process created: C:\Users\user\AppData\Local\Temp\services.exe C:\Users\user\AppData\Local\Temp\services.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe |
Code function: 0_2_0050A42D push ds; ret |
0_2_0050A42E |
Source: C:\Users\user\Desktop\mail.txt .exe |
Code function: 0_2_0050DEA6 push ds; ret |
0_2_0050DEBE |
Source: C:\Users\user\Desktop\mail.txt .exe |
Code function: 0_2_0050A501 push ecx; retf |
0_2_0050A53F |
Source: C:\Users\user\Desktop\mail.txt .exe |
Code function: 0_2_0050A50F push ecx; retf |
0_2_0050A53F |
Source: C:\Users\user\Desktop\mail.txt .exe |
Code function: 0_2_00509BA2 push edx; retf |
0_2_00509BAB |
Source: C:\Windows\services.exe |
Code function: 1_2_00405A55 push es; iretd |
1_2_00405A8E |
Source: C:\Windows\java.exe |
Code function: 3_2_0050A42D push ds; ret |
3_2_0050A42E |
Source: C:\Windows\java.exe |
Code function: 3_2_0050DEA6 push ds; ret |
3_2_0050DEBE |
Source: C:\Windows\java.exe |
Code function: 3_2_0050A501 push ecx; retf |
3_2_0050A53F |
Source: C:\Windows\java.exe |
Code function: 3_2_0050A50F push ecx; retf |
3_2_0050A53F |
Source: C:\Windows\java.exe |
Code function: 3_2_00509BA2 push edx; retf |
3_2_00509BAB |
Source: initial sample |
Static PE information: section name: UPX0 |
Source: initial sample |
Static PE information: section name: UPX1 |
Source: initial sample |
Static PE information: section name: UPX0 |
Source: initial sample |
Static PE information: section name: UPX1 |
Source: initial sample |
Static PE information: section name: UPX0 |
Source: initial sample |
Static PE information: section name: UPX1 |
Source: initial sample |
Static PE information: section name: UPX0 |
Source: initial sample |
Static PE information: section name: UPX1 |
Source: initial sample |
Static PE information: section name: UPX0 |
Source: initial sample |
Static PE information: section name: UPX1 |
Source: C:\Users\user\Desktop\mail.txt .exe |
Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run JavaVM |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe |
Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run JavaVM |
Jump to behavior |
Source: C:\Windows\services.exe |
Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Services |
Jump to behavior |
Source: C:\Windows\services.exe |
Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Services |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe TID: 6092 |
Thread sleep time: -84000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe TID: 6092 |
Thread sleep count: 34 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe TID: 6092 |
Thread sleep count: 62 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe TID: 6092 |
Thread sleep count: 297 > 30 |
Jump to behavior |
Source: C:\Windows\services.exe TID: 7156 |
Thread sleep count: 2878 > 30 |
Jump to behavior |
Source: C:\Windows\java.exe TID: 2468 |
Thread sleep count: 356 > 30 |
Jump to behavior |
Source: C:\Windows\java.exe TID: 2468 |
Thread sleep time: -284800s >= -30000s |
Jump to behavior |
Source: C:\Windows\java.exe TID: 4124 |
Thread sleep count: 42 > 30 |
Jump to behavior |
Source: C:\Windows\java.exe TID: 4124 |
Thread sleep count: 42 > 30 |
Jump to behavior |
Source: C:\Windows\java.exe TID: 4124 |
Thread sleep count: 251 > 30 |
Jump to behavior |
Source: C:\Windows\java.exe TID: 2468 |
Thread sleep count: 8716 > 30 |
Jump to behavior |
Source: C:\Windows\java.exe TID: 2468 |
Thread sleep time: -6972800s >= -30000s |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 2460 |
Thread sleep count: 7251 > 30 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 2460 |
Thread sleep time: -1812750s >= -30000s |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 2460 |
Thread sleep count: 2747 > 30 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\services.exe TID: 2460 |
Thread sleep time: -686750s >= -30000s |
Jump to behavior |
Source: C:\Windows\services.exe TID: 6048 |
Thread sleep count: 9895 > 30 |
Jump to behavior |
Source: C:\Windows\services.exe TID: 6048 |
Thread sleep time: -2473750s >= -30000s |
Jump to behavior |
Source: C:\Windows\services.exe TID: 6048 |
Thread sleep count: 103 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe |
Code function: 0_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose, |
0_2_005052AD |
Source: C:\Windows\java.exe |
Code function: 3_2_005052AD lstrcat,Sleep,lstrcpy,lstrcpy,lstrlen,lstrcat,lstrcat,memset,FindFirstFileA,FindNextFileA,lstrcpy,lstrlen,lstrcat,lstrcat,Sleep,FindClose, |
3_2_005052AD |
Source: C:\Users\user\Desktop\mail.txt .exe |
File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\ |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe |
File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\ |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe |
File opened: C:\Documents and Settings\user\AppData\Local\Adobe\ |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe |
File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\ |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe |
File opened: C:\Documents and Settings\user\AppData\Local\ |
Jump to behavior |
Source: C:\Users\user\Desktop\mail.txt .exe |
File opened: C:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\ |
Jump to behavior |
Source: Amcache.hve.10.dr |
Binary or memory string: VMware |
Source: Amcache.hve.10.dr |
Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.10.dr |
Binary or memory string: vmci.syshbin |
Source: Amcache.hve.10.dr |
Binary or memory string: VMware, Inc. |
Source: Amcache.hve.10.dr |
Binary or memory string: VMware20,1hbin@ |
Source: Amcache.hve.10.dr |
Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563 |
Source: Amcache.hve.10.dr |
Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.10.dr |
Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys |
Source: mail.txt .exe, 00000000.00000003.2426549427.0000000000821000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: VMware20,1 |
Source: Amcache.hve.10.dr |
Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.10.dr |
Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev |
Source: Amcache.hve.10.dr |
Binary or memory string: c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.10.dr |
Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: mail.txt .exe, 00000000.00000002.2729293430.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000002.4466533402.000000000082E000.00000004.00000020.00020000.00000000.sdmp, services.exe, 00000004.00000002.4466269343.0000000000812000.00000004.00000020.00020000.00000000.sdmp, services.exe, 00000005.00000002.4466259388.0000000000800000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: services.exe, 00000001.00000002.4466417572.0000000000812000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll# |
Source: Amcache.hve.10.dr |
Binary or memory string: vmci.sys |
Source: Amcache.hve.10.dr |
Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0 |
Source: Amcache.hve.10.dr |
Binary or memory string: vmci.syshbin` |
Source: Amcache.hve.10.dr |
Binary or memory string: \driver\vmci,\driver\pci |
Source: mail.txt .exe, 00000000.00000003.2426549427.0000000000821000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: i VMware, Inc. |
Source: Amcache.hve.10.dr |
Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.10.dr |
Binary or memory string: VMware20,1 |
Source: Amcache.hve.10.dr |
Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.10.dr |
Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.10.dr |
Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.10.dr |
Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.10.dr |
Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.10.dr |
Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver |
Source: Amcache.hve.10.dr |
Binary or memory string: VMware PCI VMCI Bus Device |
Source: Amcache.hve.10.dr |
Binary or memory string: VMware VMCI Bus Device |
Source: Amcache.hve.10.dr |
Binary or memory string: VMware Virtual RAM |
Source: Amcache.hve.10.dr |
Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.10.dr |
Binary or memory string: vmci.inf_amd64_68ed49469341f563 |
Source: Amcache.hve.10.dr |
Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe |
Source: Amcache.hve.10.dr |
Binary or memory string: msmpeng.exe |
Source: Amcache.hve.10.dr |
Binary or memory string: c:\program files\windows defender\msmpeng.exe |
Source: Amcache.hve.10.dr |
Binary or memory string: MsMpEng.exe |
Source: C:\Users\user\Desktop\mail.txt .exe |
Code function: 0_2_0050311C FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread, |
0_2_0050311C |
Source: C:\Windows\java.exe |
Code function: 3_2_0050311C FindWindowA,FindWindowA,FindWindowA,FindWindowA,RtlExitUserThread,GetModuleHandleA,GetProcAddress, |
3_2_0050311C |
Source: C:\Windows\services.exe |
Code function: 1_2_00401F0E GetProcessHeap,RtlAllocateHeap,htons,htons,socket,closesocket,Sleep,htons,socket,bind,listen,CreateThread,select,Sleep,GetProcessHeap,RtlAllocateHeap,accept,closesocket,accept,GetProcessHeap,HeapFree,CreateThread,CloseHandle, |
1_2_00401F0E |